bradfitz
commented
7 years ago Where are the deprecation docs?
Did it already stop working in a certain GKE release? Were you playing with GKE 1.6.x or GKE 1.5?
Open quentinmit opened 7 years ago
bradfitz
commented
7 years ago Where are the deprecation docs?
Did it already stop working in a certain GKE release? Were you playing with GKE 1.6.x or GKE 1.5?
quentinmit
commented
7 years ago Where are the deprecation docs?
I found this out at https://cloud.google.com/container-engine/docs/iam-integration#authentication_modes
I don't see any announcement... they have just started calling it "the legacy cluster certificate" in docs and have started restricting access to it (see below).
Did it already stop working in a certain GKE release? Were you playing with GKE 1.6.x or GKE 1.5?
It doesn't break any of our existing deployments. This was changed in GKE 1.3. When I created a new service account for development, I discovered that the roles/container.developer role ("Full access to Kubernetes API objects inside Container Clusters.") did not allow the coordinator to talk to Kubernetes. This is because the certificate pair is not exposed to that role (nor is it even exposed to the container.clusterAdmin role). The legacy compute engine default service account is not restricted by IAM roles, so it will continue to work as long as we use it for the farmer VM (or they deprecate harder).
We're currently using
clusters.listto get the certificate pair used to authenticate to the Kubernetes API. This is deprecated (and very confusing to set up in a new project). The docs say we should switch to just using OAuth directly with the API (which has the advantage that we don't need to also grant the coordinator permission to create new clusters)./cc @bradfitz