github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
5a508c23459159ad3deb8a04550845cb763d0334
kubernetes/staging
History
Kubernetes Submit Queue 6ef0514bd9 Merge pull request #58141 from ahmetb/configurable-scopes 
Automatic merge from submit-queue (batch tested with PRs 58903, 58141, 58900). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

auth/gcp: configurable scopes for gcp default credentials

**What this PR does / why we need it**:

- add `config.scopes` field comma-separated scope URLs, to be used with Google
  Application Default Credentials (i.e. GOOGLE_APPLICATION_CREDENTIALS env)
- users now should be able to set a gserviceaccount key in GOOGLE_APPLICATION_CREDENTIALS
  env, craft a kubeconfig file with GKE master IP+CA cert and should be able to authenticate
  to GKE in headless mode _without requiring gcloud_ CLI, and they can now use the
  email address of the gserviceaccount in RBAC role bindings and _not use Google Cloud IAM at all._
- gcp default scopes now include userinfo.email scope, so authenticating to GKE
  using gserviceaccount keys can now be done without gcloud as well.
- since userinfo.email scope is now a default, users who have existing RBAC bindings
  that use numeric uniqueID of the gserviceaccount will be broken (this behavior was
  never documented/guaranteed). from now on email address of the service account
  should be used as the subject in RBAC Role Bindings.


**Release note**:
```release-note
Google Cloud Service Account email addresses can now be used in RBAC
Role bindings since the default scopes now include the "userinfo.email"
scope. This is a breaking change if the numeric uniqueIDs of the Google
service accounts were being used in RBAC role bindings. The behavior
can be overridden by explicitly specifying the scope values as
comma-separated string in the "users[*].config.scopes" field in the
KUBECONFIG file.
```

/assign @cjcullen 
/sig gcp
2018-01-26 21:00:35 -08:00
..
src/k8s.io
Merge pull request #58141 from ahmetb/configurable-scopes
2018-01-26 21:00:35 -08:00
BUILD
create auto-gen files
2018-01-17 16:23:03 +08:00
OWNERS
README.md
Add link to k8s.io/sample-controller
2017-10-19 15:46:36 +01:00

README.md

External Repository Staging Area

This directory is the staging area for packages that have been split to their own repository. The content here will be periodically published to respective top-level k8s.io repositories.

Repositories currently staged here:

The code in the staging/ directory is authoritative, i.e. the only copy of the code. You can directly modify such code.

Using staged repositories from Kubernetes code

Kubernetes code uses the repositories in this directory via symlinks in the vendor/k8s.io directory into this staging area. For example, when Kubernetes code imports a package from the k8s.io/client-go repository, that import is resolved to staging/src/k8s.io/client-go relative to the project root:

// pkg/example/some_code.go
package example

import (
  "k8s.io/client-go/dynamic" // resolves to staging/src/k8s.io/client-go/dynamic
)

Once the change-over to external repositories is complete, these repositories will actually be vendored from k8s.io/<package-name>.

Reference in New Issue View Git Blame Copy Permalink