Merge pull request #58141 from ahmetb/configurable-scopes

Automatic merge from submit-queue (batch tested with PRs 58903, 58141, 58900). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. auth/gcp: configurable scopes for gcp default credentials **What this PR does / why we need it**: - add `config.scopes` field comma-separated scope URLs, to be used with Google Application Default Credentials (i.e. GOOGLE_APPLICATION_CREDENTIALS env) - users now should be able to set a gserviceaccount key in GOOGLE_APPLICATION_CREDENTIALS env, craft a kubeconfig file with GKE master IP+CA cert and should be able to authenticate to GKE in headless mode _without requiring gcloud_ CLI, and they can now use the email address of the gserviceaccount in RBAC role bindings and _not use Google Cloud IAM at all._ - gcp default scopes now include userinfo.email scope, so authenticating to GKE using gserviceaccount keys can now be done without gcloud as well. - since userinfo.email scope is now a default, users who have existing RBAC bindings that use numeric uniqueID of the gserviceaccount will be broken (this behavior was never documented/guaranteed). from now on email address of the service account should be used as the subject in RBAC Role Bindings. **Release note**: ```release-note Google Cloud Service Account email addresses can now be used in RBAC Role bindings since the default scopes now include the "userinfo.email" scope. This is a breaking change if the numeric uniqueIDs of the Google service accounts were being used in RBAC role bindings. The behavior can be overridden by explicitly specifying the scope values as comma-separated string in the "users[*].config.scopes" field in the KUBECONFIG file. ``` /assign @cjcullen /sig gcp Kubernetes-commit: 6ef0514bd94e184f51960f0545095f0fae4964b4
2025-06-25 14:41:53 +00:00 · 2018-01-26 21:00:35 -08:00 · 2018-01-26 21:00:35 -08:00 · 91392bcd63
commit 91392bcd63
parent 1957ffeb3d 7f749abb08
3 changed files with 253 additions and 95 deletions
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -284,331 +284,331 @@
 		},
 		{
 			"ImportPath": "k8s.io/api/admissionregistration/v1alpha1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/admissionregistration/v1beta1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/apps/v1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/apps/v1beta1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/apps/v1beta2",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/authentication/v1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/authentication/v1beta1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/authorization/v1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/authorization/v1beta1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/autoscaling/v1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/autoscaling/v2beta1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/batch/v1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/batch/v1beta1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/batch/v2alpha1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/certificates/v1beta1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/core/v1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/events/v1beta1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/extensions/v1beta1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/imagepolicy/v1alpha1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/networking/v1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/policy/v1beta1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/rbac/v1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/rbac/v1alpha1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/rbac/v1beta1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/scheduling/v1alpha1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/settings/v1alpha1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/storage/v1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/storage/v1alpha1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/api/storage/v1beta1",
-			"Rev": "fbe336854453ac8e27bffe14e1964555245cbd05"
+			"Rev": "dc0dd48d5a5cae9f8736bb0643cfe6052e450f1b"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/equality",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/errors",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/meta",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/resource",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/testing",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/testing/fuzzer",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/api/testing/roundtrip",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apimachinery",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apimachinery/announced",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apimachinery/registered",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/fuzzer",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/internalversion",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/apis/meta/v1alpha1",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/conversion",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/conversion/queryparams",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/fields",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/labels",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/schema",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/json",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/protobuf",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/recognizer",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/streaming",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/runtime/serializer/versioning",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/selection",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/types",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/cache",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/clock",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/diff",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/errors",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/framer",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/httpstream",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/httpstream/spdy",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/intstr",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/json",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/mergepatch",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/net",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/remotecommand",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/runtime",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/sets",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/strategicpatch",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/validation",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/validation/field",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/wait",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/util/yaml",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/version",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/pkg/watch",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/json",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/netutil",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/apimachinery/third_party/forked/golang/reflect",
-			"Rev": "2f1e02d3e57b8fb5206c5326bcb65217edc63a8e"
+			"Rev": "b621949a1923cee3fce8bca9613e9a83609f0bbc"
 		},
 		{
 			"ImportPath": "k8s.io/kube-openapi/pkg/util/proto",
--- a/plugin/pkg/client/auth/gcp/gcp.go
+++ b/plugin/pkg/client/auth/gcp/gcp.go
@ -42,8 +42,18 @@ func init() {
 	}
 }

-// Stubbable for testing
-var execCommand = exec.Command
+var (
+	// Stubbable for testing
+	execCommand = exec.Command
+
+	// defaultScopes:
+	// - cloud-platform is the base scope to authenticate to GCP.
+	// - userinfo.email is used to authenticate to GKE APIs with gserviceaccount
+	//   email instead of numeric uniqueID.
+	defaultScopes = []string{
+		"https://www.googleapis.com/auth/cloud-platform",
+		"https://www.googleapis.com/auth/userinfo.email"}
+)

 // gcpAuthProvider is an auth provider plugin that uses GCP credentials to provide
 // tokens for kubectl to authenticate itself to the apiserver. A sample json config
@ -55,6 +65,14 @@ var execCommand = exec.Command
 //     "name": "gcp",
 //
 //     'config': {
+//       # Authentication options
+//       # These options are used while getting a token.
+//
+//       # comma-separated list of GCP API scopes. default value of this field
+//       # is "https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/userinfo.email".
+// 		 # to override the API scopes, specify this field explicitly.
+//       "scopes": "https://www.googleapis.com/auth/cloud-platform"
+//
 //       # Caching options
 //
 //       # Raw string data representing cached access token.
@ -96,12 +114,32 @@ type gcpAuthProvider struct {
 }

 func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restclient.AuthProviderConfigPersister) (restclient.AuthProvider, error) {
-	var ts oauth2.TokenSource
-	var err error
-	if cmd, useCmd := gcpConfig["cmd-path"]; useCmd {
+	ts, err := tokenSource(isCmdTokenSource(gcpConfig), gcpConfig)
+	if err != nil {
+		return nil, err
+	}
+	cts, err := newCachedTokenSource(gcpConfig["access-token"], gcpConfig["expiry"], persister, ts, gcpConfig)
+	if err != nil {
+		return nil, err
+	}
+	return &gcpAuthProvider{cts, persister}, nil
+}
+
+func isCmdTokenSource(gcpConfig map[string]string) bool {
+	_, ok := gcpConfig["cmd-path"]
+	return ok
+}
+
+func tokenSource(isCmd bool, gcpConfig map[string]string) (oauth2.TokenSource, error) {
+	// Command-based token source
+	if isCmd {
+		cmd := gcpConfig["cmd-path"]
 		if len(cmd) == 0 {
 			return nil, fmt.Errorf("missing access token cmd")
 		}
+		if gcpConfig["scopes"] != "" {
+			return nil, fmt.Errorf("scopes can only be used when kubectl is using a gcp service account key")
+		}
 		var args []string
 		if cmdArgs, ok := gcpConfig["cmd-args"]; ok {
 			args = strings.Fields(cmdArgs)
@ -110,18 +148,29 @@ func newGCPAuthProvider(_ string, gcpConfig map[string]string, persister restcli
 			cmd = fields[0]
 			args = fields[1:]
 		}
-		ts = newCmdTokenSource(cmd, args, gcpConfig["token-key"], gcpConfig["expiry-key"], gcpConfig["time-fmt"])
-	} else {
-		ts, err = google.DefaultTokenSource(context.Background(), "https://www.googleapis.com/auth/cloud-platform")
+		return newCmdTokenSource(cmd, args, gcpConfig["token-key"], gcpConfig["expiry-key"], gcpConfig["time-fmt"]), nil
 	}
+
+	// Google Application Credentials-based token source
+	scopes := parseScopes(gcpConfig)
+	ts, err := google.DefaultTokenSource(context.Background(), scopes...)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("cannot construct google default token source: %v", err)
 	}
-	cts, err := newCachedTokenSource(gcpConfig["access-token"], gcpConfig["expiry"], persister, ts, gcpConfig)
-	if err != nil {
-		return nil, err
+	return ts, nil
+}
+
+// parseScopes constructs a list of scopes that should be included in token source
+// from the config map.
+func parseScopes(gcpConfig map[string]string) []string {
+	scopes, ok := gcpConfig["scopes"]
+	if !ok {
+		return defaultScopes
 	}
-	return &gcpAuthProvider{cts, persister}, nil
+	if scopes == "" {
+		return []string{}
+	}
+	return strings.Split(gcpConfig["scopes"], ",")
 }

 func (g *gcpAuthProvider) WrapTransport(rt http.RoundTripper) http.RoundTripper {
--- a/plugin/pkg/client/auth/gcp/gcp_test.go
+++ b/plugin/pkg/client/auth/gcp/gcp_test.go
@ -18,6 +18,7 @@ package gcp

 import (
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"os"
 	"os/exec"
@ -116,6 +117,114 @@ func TestHelperProcess(t *testing.T) {
 	os.Exit(0)
 }

+func Test_isCmdTokenSource(t *testing.T) {
+	c1 := map[string]string{"cmd-path": "foo"}
+	if v := isCmdTokenSource(c1); !v {
+		t.Fatalf("cmd-path present in config (%+v), but got %v", c1, v)
+	}
+
+	c2 := map[string]string{"cmd-args": "foo bar"}
+	if v := isCmdTokenSource(c2); v {
+		t.Fatalf("cmd-path not present in config (%+v), but got %v", c2, v)
+	}
+}
+
+func Test_tokenSource_cmd(t *testing.T) {
+	if _, err := tokenSource(true, map[string]string{}); err == nil {
+		t.Fatalf("expected error, cmd-args not present in config")
+	}
+
+	c := map[string]string{
+		"cmd-path": "foo",
+		"cmd-args": "bar"}
+	ts, err := tokenSource(true, c)
+	if err != nil {
+		t.Fatalf("failed to return cmd token source: %+v", err)
+	}
+	if ts == nil {
+		t.Fatal("returned nil token source")
+	}
+	if _, ok := ts.(*commandTokenSource); !ok {
+		t.Fatalf("returned token source type:(%T) expected:(*commandTokenSource)", ts)
+	}
+}
+
+func Test_tokenSource_cmdCannotBeUsedWithScopes(t *testing.T) {
+	c := map[string]string{
+		"cmd-path": "foo",
+		"scopes":   "A,B"}
+	if _, err := tokenSource(true, c); err == nil {
+		t.Fatal("expected error when scopes is used with cmd-path")
+	}
+}
+
+func Test_tokenSource_applicationDefaultCredentials_fails(t *testing.T) {
+	// try to use empty ADC file
+	fakeTokenFile, err := ioutil.TempFile("", "adctoken")
+	if err != nil {
+		t.Fatalf("failed to create fake token file: +%v", err)
+	}
+	fakeTokenFile.Close()
+	defer os.Remove(fakeTokenFile.Name())
+
+	os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", fakeTokenFile.Name())
+	defer os.Unsetenv("GOOGLE_APPLICATION_CREDENTIALS")
+	if _, err := tokenSource(false, map[string]string{}); err == nil {
+		t.Fatalf("expected error because specified ADC token file is not a JSON")
+	}
+}
+
+func Test_tokenSource_applicationDefaultCredentials(t *testing.T) {
+	fakeTokenFile, err := ioutil.TempFile("", "adctoken")
+	if err != nil {
+		t.Fatalf("failed to create fake token file: +%v", err)
+	}
+	fakeTokenFile.Close()
+	defer os.Remove(fakeTokenFile.Name())
+	if err := ioutil.WriteFile(fakeTokenFile.Name(), []byte(`{"type":"service_account"}`), 0600); err != nil {
+		t.Fatalf("failed to write to fake token file: %+v", err)
+	}
+
+	os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", fakeTokenFile.Name())
+	defer os.Unsetenv("GOOGLE_APPLICATION_CREDENTIALS")
+	ts, err := tokenSource(false, map[string]string{})
+	if err != nil {
+		t.Fatalf("failed to get a token source: %+v", err)
+	}
+	if ts == nil {
+		t.Fatal("returned nil token soruce")
+	}
+}
+
+func Test_parseScopes(t *testing.T) {
+	cases := []struct {
+		in  map[string]string
+		out []string
+	}{
+		{
+			map[string]string{},
+			[]string{
+				"https://www.googleapis.com/auth/cloud-platform",
+				"https://www.googleapis.com/auth/userinfo.email"},
+		},
+		{
+			map[string]string{"scopes": ""},
+			[]string{},
+		},
+		{
+			map[string]string{"scopes": "A,B,C"},
+			[]string{"A", "B", "C"},
+		},
+	}
+
+	for _, c := range cases {
+		got := parseScopes(c.in)
+		if !reflect.DeepEqual(got, c.out) {
+			t.Errorf("expected=%v, got=%v", c.out, got)
+		}
+	}
+}
+
 func errEquiv(got, want error) bool {
 	if got == want {
 		return true