Deprecate azure and gcp in-tree auth plugins#102181
Conversation
There was a problem hiding this comment.
We should hold off on this until we have an alternative. This is not currently actionable. Can we add this to release notes instead?
There was a problem hiding this comment.
I would prefer to have the warning where an end-user would actually see it. Perhaps GCP can make a documentation page that we can link to? Then you can update the documentation page with details when it becomes actionable.
Also GCP has had years of runway to migrate away from this. This should be no surprise. It is time (technically in August).
There was a problem hiding this comment.
Moved to a .V(1) to limit unactionable warning.
There was a problem hiding this comment.
Opened #103499 to track moving this back to a Warningf by 1.24 at the latest.
c2bf4dd to
6bc9c85
Compare
There was a problem hiding this comment.
@mikedanese are you happy with this verbiage?
There was a problem hiding this comment.
I'll defer to mike on content, but I'd suggest a single line if possible
There was a problem hiding this comment.
also, in other deprecation warnings, we've included the "from" version and the targeted removal version, e.g.
WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.25+; use ___ instead
There was a problem hiding this comment.
I'll defer to mike on content, but I'd suggest a single line if possible
The docs link forced me to use multiple lines to keep the length sane.
Updated to include the from and target versions.
|
/hold (until PR to make client-go exec plugin officially GA is merged) |
There was a problem hiding this comment.
Is there going to be some kind of process in place to ensure this happens? Otherwise is there anything programatic we could do to query the version at runtime and update the error?
Also it seems slightly risky to explicitly communicate the exact version it is being disabled. What if there is a lot of pushback at depreciation and its replacement and we need a few extra release cycles to hammer out those concerns?
There was a problem hiding this comment.
Is there going to be some kind of process in place to ensure this happens?
I'd expect a milestoned issue
Also it seems slightly risky to explicitly communicate the exact version it is being disabled. What if there is a lot of pushback at depreciation and its replacement and we need a few extra release cycles to hammer out those concerns?
This won't merge until the client-go exec plugin GA merges. That is the target for any issues or concerns. Once that is released as GA, setting a definite removal version for the other auth plugins is reasonable.
There was a problem hiding this comment.
As a casual/novice Kubectl user kubectl/client-go doesn't seem very actionable to me (as opposed to Azure's login thing getting an entire URL). Is it a directory? Or package? Or Repo? I would prefer a more actionable link where I can learn how to use kubectl/client-go.
There was a problem hiding this comment.
suggestions for alternative links are welcome
There was a problem hiding this comment.
Added a link to the credential plugin docs.
7de8836 to
74e5ca1
Compare
|
/retest |
There was a problem hiding this comment.
can we shrink to two lines instead of four?
WARNING: the azure auth plugin is deprecated in v1.22+, unavailable in v1.25+; use https://github.com/Azure/kubelogin instead.
To learn more, consult https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins
There was a problem hiding this comment.
should this get the same V(1) treatment and move to a Warningf in 1.24?
There was a problem hiding this comment.
74e5ca1 to
0c72fef
Compare
/hold cancel #102890 has merged. |
With the client-go credential plugin functionality going GA in 1.22, it is now time to deprecate these legacy integrations. Signed-off-by: Monis Khan <mok@vmware.com>
0c72fef to
6bfaeaf
Compare
|
@enj: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: enj, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
As a user reading the release notes, I am still not quite sure what I am expected to do to authenticate with GCP now. I hope it will not require the 1gb+ (and 10x slower in our tests) gcloud command just to connect to a GCP cluster? |
|
@howardjohn I observe that the (now deprecated) |
I suggest reaching out to GKE support. GKE will need to provide some binary to fetch credentials. Whether that is the |
|
So when I distribute my k8s controller (which needs to authenticate with all platforms) and stick it on a distroless image, it's not going to work anymore? I need to somehow find a magic binary for gke (and aks, eks,....), get them in the docker image, manage the versions, etc? I very much hope I misunderstand this change - this seems like a very hostile change for users if not. |
No, your controller would run as a Kubernetes service account via the in cluster config credentials provided uniformally across all clusters by the Kubelet. This is the standard way all controllers obtain an identity on Kubernetes. The various controller frameworks do this automatically.
This change pertains to human users obtaining proprietary credentials that are specific to their Kubernetes distribution. We are replacing the use of a proprietary SDK with a proper extension point. |
|
@enj how can I hide this warning when using kubectl? |
Follow the directions to migrate to the replacement client-go credential plugin. |
I did. But it's still showing. My GKE cluster is on 1.21.11. My kubectl is on 1.24.2. |
Deprecate azure and gcp in-tree auth plugins
With the client-go credential plugin functionality going GA in 1.22,
it is now time to deprecate these legacy integrations.
Signed-off-by: Monis Khan mok@vmware.com
/kind cleanup
/kind deprecation
/sig auth
/priority important-soon
/triage accepted
/milestone v1.22
@kubernetes/sig-auth-pr-reviews
/assign @ritazh @mikedanese @cjcullen @ankeesler @liggitt