Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth/gcp: configurable scopes for gcp default credentials #58141

Merged
merged 2 commits into from
Jan 27, 2018
Merged

auth/gcp: configurable scopes for gcp default credentials #58141

merged 2 commits into from
Jan 27, 2018

Conversation

ahmetb
Copy link
Member

@ahmetb ahmetb commented Jan 11, 2018
edited
Loading

What this PR does / why we need it:

  • add config.scopes field comma-separated scope URLs, to be used with Google
    Application Default Credentials (i.e. GOOGLE_APPLICATION_CREDENTIALS env)
  • users now should be able to set a gserviceaccount key in GOOGLE_APPLICATION_CREDENTIALS
    env, craft a kubeconfig file with GKE master IP+CA cert and should be able to authenticate
    to GKE in headless mode without requiring gcloud CLI, and they can now use the
    email address of the gserviceaccount in RBAC role bindings and not use Google Cloud IAM at all.
  • gcp default scopes now include userinfo.email scope, so authenticating to GKE
    using gserviceaccount keys can now be done without gcloud as well.
  • since userinfo.email scope is now a default, users who have existing RBAC bindings
    that use numeric uniqueID of the gserviceaccount will be broken (this behavior was
    never documented/guaranteed). from now on email address of the service account
    should be used as the subject in RBAC Role Bindings.

Release note:

Google Cloud Service Account email addresses can now be used in RBAC
Role bindings since the default scopes now include the "userinfo.email"
scope. This is a breaking change if the numeric uniqueIDs of the Google
service accounts were being used in RBAC role bindings. The behavior
can be overridden by explicitly specifying the scope values as
comma-separated string in the "users[*].config.scopes" field in the
KUBECONFIG file.

/assign @cjcullen
/sig gcp

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/gcp size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 11, 2018
@ahmetb
Copy link
Member Author

ahmetb commented Jan 12, 2018

I think type gcpAuthProvider godoc in this file needs updating to talk about this new "scopes" field.
/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 12, 2018
@ahmetb ahmetb force-pushed the configurable-scopes branch from 38a287b to 7e24f9c Compare January 18, 2018 01:16
@ahmetb
Copy link
Member Author

ahmetb commented Jan 18, 2018

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 18, 2018
@ahmetb
configurable scopes for gcp default credentials
e19dc6a 
- add config.scopes field comma-separated scope URLs, to be used with Google
  Application Default Credentials (i.e. GOOGLE_APPLICATION_CREDENTIALS env)
- default scopes now include userinfo.email scope so the headless app with
  gserviceaccount keys can have RoleBindings with email instead of account ID.

Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
@ahmetb ahmetb force-pushed the configurable-scopes branch from 7e24f9c to e19dc6a Compare January 18, 2018 01:21
@cjcullen
Copy link
Member

FYI @ericchiang
This only applies to the "old" GCP auth-provider, not the command-based one.

@cjcullen
Copy link
Member

Can you add a unittest that checks that:

  1. No scopes in the gcpConfig produces a google.TokenSource with the correct default scopes.
  2. The scopes in the gcpConfig are correctly passed into the google.TokenSource.
  3. Scopes in a gcpConfig when useCmd is true results in an error.

@ahmetb
Refactor gcp.go methods for testability, add tests
ad4fdc7 
Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 22, 2018
@ahmetb
Copy link
Member Author

ahmetb commented Jan 22, 2018
edited
Loading

@cjcullen Methods in gcp.go were not well testable. So I split it into multiple methods, and wrote tests for them.

Please take a look at ad4fdc7.

  1. No scopes in the gcpConfig produces a google.TokenSource with the correct default scopes.

See Test_parseScopes method.

  1. The scopes in the gcpConfig are correctly passed into the google.TokenSource.

I'm having trouble inspecting the google.TokenSource, as the method returns oauth2.reuseTokenSource which I cannot dig in without using reflection. But I'm now testing the parsing of scopes field. (see func parseScopes.)

  1. Scopes in a gcpConfig when useCmd is true results in an error.

See Test_tokenSource_cmdCannotBeUsedWithScopes method.

@cjcullen
Copy link
Member

I like the refactor.
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 25, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ahmetb, cjcullen

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 26, 2018
@ericchiang
Copy link
Contributor

/test pull-kubernetes-e2e-kops-aws

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 58903, 58141, 58900). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 6ef0514 into kubernetes:master Jan 27, 2018
@mattnworb
Copy link
Contributor

For anyone else who finds this in the future and is confused like me as to how some gserviceaccount's can successfully be referred to in a RoleBinding before this change and some other's can't, I've traced it down to this:

if you use gcloud container clusters get-credentials to populate the KUBECONFIG with credentials related to the service account configured in gcloud, then if that service account was added to gcloud via gcloud auth activate-service-account, then the token returned by gcloud seems to already have access to the userinfo.email scope. This then allows the token passed by kubectl to a GKE cluster to have the email retrieved for it, which allows the token to be correlated to a gserviceaccount email address in your RoleBinding.

If instead the active service account in gcloud is the GCE instance's default service account, this does not have access to the userinfo.email scope, so the RoleBinding (today, before this PR) has to refer to the numeric ID (which can be found via gcloud iam service-accounts describe <email/ID>).

@mattnworb
Copy link
Contributor

also - @ahmetb thanks for making the behavior consistent going forward 😄

@ahmetb
Copy link
Member Author

ahmetb commented Mar 8, 2018
edited
Loading

@mattnworb thanks for the clarification!

Yes, if your [Cluster]RoleBinding object previously used a subject name like 105883778249443408408, starting from kubectl 1.10, you just need to use the full service account email foo@PROJECT-NAME.iam.gserviceaccount.com.

This is a breaking change, if it interrupts you, you can go back to using kubectl 1.9 or better: you can edit ~/.kube/config file to manually add a users[*].config.scopes field that has value "https://www.googleapis.com/auth/cloud-platform". This way the email won't work and you'll get the old behavior.

The numeric account name behavior was never documented and meant to be used that way, so hopefully addressing this early on before this use case gets popular will prevent us from dealing with this down the road!

This was referenced Mar 28, 2018
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@cjcullen cjcullen

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@ahmetb @cjcullen @k8s-ci-robot @ericchiang @k8s-github-robot @fejta-bot @mattnworb