Skip to content

Commit 5830ccb

Browse files
jindijamieGCB Sync Bot
jindijamie
authored and
GCB Sync Bot
committed
Use GKE P4SA for KCP VM Admin Access
go/gke-kcp-p4sa-token-dance BUG=b/399196274 Change-Id: I333c7fe1e2d605b5d67cae5d2dd801270f9ebd58
1 parent 6a240d5 commit 5830ccb

File tree

2 files changed

+38
-2
lines changed

2 files changed

+38
-2
lines changed

gke/cluster/gce/gci/configure-helper.sh

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3142,7 +3142,7 @@ function main() {
31423142
KUBE_CONTROLLER_MANAGER_TOKEN="$(secure_random 32)"
31433143
KUBE_SCHEDULER_TOKEN="$(secure_random 32)"
31443144
KUBE_CLUSTER_AUTOSCALER_TOKEN="$(secure_random 32)"
3145-
if [[ -z "${KUBE_BEARER_TOKEN:-}" ]]; then
3145+
if [[ -z "${KUBE_BEARER_TOKEN:-}" ]] && [[ "${LOCAL_ADMIN_GKE_EXEC_AUTH:-false}" == "false" ]]; then
31463146
KUBE_BEARER_TOKEN="$(secure_random 32)"
31473147
fi
31483148
if [[ "${ENABLE_L7_LOADBALANCING:-}" == "glbc" ]]; then

gke/cluster/gce/gci/gke-internal-configure-helper.sh

Lines changed: 37 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -198,7 +198,11 @@ function gke-internal-master-start {
198198
create-static-auth-kubeconfig-for-component mastertest
199199
fi
200200

201-
if [[ -n "${KUBE_BEARER_TOKEN:-}" ]]; then
201+
if [[ "${LOCAL_ADMIN_GKE_EXEC_AUTH:-false}" == "true" ]] && [[ -n "${TOKEN_URL:-}" ]] && [[ -n "${TOKEN_BODY_UNQUOTED:-}" ]]; then
202+
echo "setting up local admin kubeconfig with gke-exec-auth-plugin"
203+
create-kcp-admin-kubeconfig
204+
echo "export KUBECONFIG=/etc/srv/kubernetes/local-admin/kubeconfig" > /etc/profile.d/kubeconfig.sh
205+
elif [[ -n "${KUBE_BEARER_TOKEN:-}" ]]; then
202206
echo "setting up local admin kubeconfig"
203207
create-kubeconfig "local-admin" "${KUBE_BEARER_TOKEN}"
204208
echo "export KUBECONFIG=/etc/srv/kubernetes/local-admin/kubeconfig" > /etc/profile.d/kubeconfig.sh
@@ -1179,3 +1183,35 @@ providers:
11791183
defaultCacheDuration: 1m
11801184
EOF
11811185
}
1186+
1187+
function create-kcp-admin-kubeconfig {
1188+
mkdir -p "/etc/srv/kubernetes/local-admin"
1189+
cat > "/etc/srv/kubernetes/local-admin/kubeconfig" << EOF
1190+
apiVersion: v1
1191+
kind: Config
1192+
users:
1193+
- name: local-admin
1194+
user:
1195+
exec:
1196+
apiVersion: "client.authentication.k8s.io/v1beta1"
1197+
command: /home/kubernetes/bin/gke-exec-auth-plugin
1198+
args:
1199+
- --mode=alt-token
1200+
- --alt-token-url=${TOKEN_URL}
1201+
- --alt-token-body=${TOKEN_BODY_UNQUOTED}
1202+
clusters:
1203+
- name: local
1204+
cluster:
1205+
certificate-authority-data: ${CA_CERT}
1206+
server: https://${KUBE_APISERVER_INTERNAL_ADDRESS}:443
1207+
disable-compression: true
1208+
contexts:
1209+
- context:
1210+
cluster: local
1211+
user: local-admin
1212+
name: local-admin
1213+
current-context: local-admin
1214+
EOF
1215+
}
1216+
1217+

0 commit comments

Comments
 (0)