Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auth-provider-gcp: support using alternate credentials #760

Open
theobarberbany opened this issue Sep 5, 2024 · 5 comments
Open

auth-provider-gcp: support using alternate credentials #760

theobarberbany opened this issue Sep 5, 2024 · 5 comments
Labels
needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@theobarberbany
Copy link

Currently, as far as I can tell,auth-provider-gcp only supports using the default gcp service account attached to the GCE VM. (https://github.com/kubernetes/cloud-provider-gcp/blob/master/pkg/gcpcredential/gcpcredential.go#L171-L226).

It would be great to additional authentication methods when making credentials requests, e.g support service account impersonation, or passing GOOGLE_APPLICATION_CREDENTIALS. This is because we have a use case where we don't want to provide credentials via roles attached to the default service account.

It looks like the CredentialProviderConfig allows for either passing args, or env vars: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-credential-provider/

If this is something the project would be open to, I'd be happy to work on it!
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Sep 5, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If the repository mantainers determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@elmiko
Copy link

elmiko commented Sep 25, 2024
edited
Loading

cc @cheftako could use your advise on this one

talking about this at sig meeting today, we agree that this sounds reasonable, @cheftako will followup with maintainers. just a note, @theobarberbany is willing to followup with a PR for this if we agree about making the changes.

@theobarberbany
Copy link
Author

Hey @cheftako, I was wondering if there had been any progress here? If we agree on making the changes, I'm happy to follow up with a PR! :)

@elmiko
Copy link

elmiko commented Dec 3, 2024

@theobarberbany you've got a couple thumbs up on the original issue, i think it makes sense to propose a PR. we can bring this up at the next sig meeting to see if there is objection. from the sounds of your original issue, i don't think this will be too controversial as we are preserving the original behavior and adding new options. do i have that correct?

@elmiko
Copy link

elmiko commented Dec 4, 2024
edited
Loading

we are discussing this at the SIG meeting today, a question about which specific auth workflows are needed has come up. it sounds like @theobarberbany is proposing something more general, in line with some of the other ccms.

the default service account auth is the main method of focus here for Theo's work.

@cheftako has offered to get some of the appropriate folks here for the discussion

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@elmiko @theobarberbany @k8s-ci-robot and others