search

danielfoehrKn / kubeswitch

The kubectx for operators.
https://danielfoehrkn.medium.com/the-case-of-kubeswitch-aff4b6a04ae7
Apache License 2.0
832 stars 80 forks source link

GKE Store: Generate correct kubeconfig for k8s > 1.25.0 #37

Closed danielfoehrKn closed 11 months ago

danielfoehrKn commented 2 years ago

Today, when using the kubeconfig generated by kubeswitch with kubectl > 1.22, we get the following warning

WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.25+; use gcloud instead.
To learn more, consult https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke

Please see here for more information.

Currently, the user section of the kubeconfig is generated like so:

users:
- name: gke_dev-garden-gcp
  user:
    auth-provider:
      config:
        access-token: <token>
        cmd-args: config config-helper --format=json
        cmd-path: /usr/local/bin/gcloud
        expiry: "2022-05-17T09:39:22Z"
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp

in the future it should look like so

users:
- name: NEW-CONFIG
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: gke-gcloud-auth-plugin
      installHint: Install gke-gcloud-auth-plugin for use with kubectl by following
        https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
      provideClusterInfo: true
gdubicki commented 1 year ago

This change has been postponed to apply only for k8s v1.26, not v1.25, but it would be great to get this implemented sooner rather than later.

Is the gke-gcloud-auth-plugin backward compatible? What I mean is: would it be safe to just make kubeswitch convert all existing configs to the new format?

lfrancke commented 1 year ago

This is now in effect for 1.26 clusters at least. It's causing GKE commands to fail.

Similar to https://github.com/danielfoehrKn/kubeswitch/issues/67 I'm happy to offer a "bounty" of 50€ for anyone tackling this as an additional incentive.

lfrancke commented 11 months ago

Thank you @gjariv I've reached out via mail about the "bounty" if you're interested.

gjariv commented 11 months ago

No thanks, appreciate it, but just happy to help and unblock people

lfrancke commented 11 months ago

Thank you very much! That, you did.