mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Add feature gate to disable in-tree credential providers
This commit is contained in:
Owen Strain
parent
dbebb8f2e8
commit
a947c32783
@ -159,12 +159,20 @@ func (p *ecrProvider) Provide(image string) credentialprovider.DockerConfig {
|
|||||||
// (see https://github.com/kubernetes/kubernetes/issues/92162)
|
// (see https://github.com/kubernetes/kubernetes/issues/92162)
|
||||||
once.Do(func() {
|
once.Do(func() {
|
||||||
isEC2 = p.isEC2()
|
isEC2 = p.isEC2()
|
||||||
|
|
||||||
|
if isEC2 && credentialprovider.AreLegacyCloudCredentialProvidersDisabled() {
|
||||||
|
klog.V(4).Infof("AWS credential provider is now disabled. Please refer to sig-cloud-provider for guidance on external credential provider integration for AWS")
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
if !isEC2 {
|
if !isEC2 {
|
||||||
return credentialprovider.DockerConfig{}
|
return credentialprovider.DockerConfig{}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if credentialprovider.AreLegacyCloudCredentialProvidersDisabled() {
|
||||||
|
return credentialprovider.DockerConfig{}
|
||||||
|
}
|
||||||
|
|
||||||
if cfg, exists := p.getFromCache(parsed); exists {
|
if cfg, exists := p.getFromCache(parsed); exists {
|
||||||
klog.V(3).Infof("Got ECR credentials from cache for %s", parsed.registry)
|
klog.V(3).Infof("Got ECR credentials from cache for %s", parsed.registry)
|
||||||
return cfg
|
return cfg
|
||||||
|
|||||||
@ -26,6 +26,7 @@ import (
|
|||||||
"os"
|
"os"
|
||||||
"regexp"
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
"github.com/Azure/azure-sdk-for-go/services/containerregistry/mgmt/2019-05-01/containerregistry"
|
"github.com/Azure/azure-sdk-for-go/services/containerregistry/mgmt/2019-05-01/containerregistry"
|
||||||
@ -52,6 +53,7 @@ const (
|
|||||||
var (
|
var (
|
||||||
containerRegistryUrls = []string{"*.azurecr.io", "*.azurecr.cn", "*.azurecr.de", "*.azurecr.us"}
|
containerRegistryUrls = []string{"*.azurecr.io", "*.azurecr.cn", "*.azurecr.de", "*.azurecr.us"}
|
||||||
acrRE = regexp.MustCompile(`.*\.azurecr\.io|.*\.azurecr\.cn|.*\.azurecr\.de|.*\.azurecr\.us`)
|
acrRE = regexp.MustCompile(`.*\.azurecr\.io|.*\.azurecr\.cn|.*\.azurecr\.de|.*\.azurecr\.us`)
|
||||||
|
warnOnce sync.Once
|
||||||
)
|
)
|
||||||
|
|
||||||
// init registers the various means by which credentials may
|
// init registers the various means by which credentials may
|
||||||
@ -183,6 +185,13 @@ func (a *acrProvider) Enabled() bool {
|
|||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if credentialprovider.AreLegacyCloudCredentialProvidersDisabled() {
|
||||||
|
warnOnce.Do(func() {
|
||||||
|
klog.V(4).Infof("Azure credential provider is now disabled. Please refer to sig-cloud-provider for guidance on external credential provider integration for Azure")
|
||||||
|
})
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
f, err := os.Open(*a.file)
|
f, err := os.Open(*a.file)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
klog.Errorf("Failed to load config from file: %s", *a.file)
|
klog.Errorf("Failed to load config from file: %s", *a.file)
|
||||||
@ -203,6 +212,7 @@ func (a *acrProvider) Enabled() bool {
|
|||||||
}
|
}
|
||||||
|
|
||||||
a.registryClient = newAzRegistriesClient(a.config.SubscriptionID, a.environment.ResourceManagerEndpoint, a.servicePrincipalToken)
|
a.registryClient = newAzRegistriesClient(a.config.SubscriptionID, a.environment.ResourceManagerEndpoint, a.servicePrincipalToken)
|
||||||
|
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -23,6 +23,7 @@ import (
|
|||||||
"os/exec"
|
"os/exec"
|
||||||
"runtime"
|
"runtime"
|
||||||
"strings"
|
"strings"
|
||||||
|
"sync"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
utilnet "k8s.io/apimachinery/pkg/util/net"
|
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||||
@ -55,6 +56,8 @@ var metadataHeader = &http.Header{
|
|||||||
"Metadata-Flavor": []string{"Google"},
|
"Metadata-Flavor": []string{"Google"},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var warnOnce sync.Once
|
||||||
|
|
||||||
// init registers the various means by which credentials may
|
// init registers the various means by which credentials may
|
||||||
// be resolved on GCP.
|
// be resolved on GCP.
|
||||||
func init() {
|
func init() {
|
||||||
@ -142,7 +145,17 @@ func onGCEVM() bool {
|
|||||||
|
|
||||||
// Enabled implements DockerConfigProvider for all of the Google implementations.
|
// Enabled implements DockerConfigProvider for all of the Google implementations.
|
||||||
func (g *MetadataProvider) Enabled() bool {
|
func (g *MetadataProvider) Enabled() bool {
|
||||||
return onGCEVM()
|
onGCE := onGCEVM()
|
||||||
|
if !onGCE {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
if credentialprovider.AreLegacyCloudCredentialProvidersDisabled() {
|
||||||
|
warnOnce.Do(func() {
|
||||||
|
klog.V(4).Infof("GCP credential provider is now disabled. Please refer to sig-cloud-provider for guidance on external credential provider integration for GCP")
|
||||||
|
})
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
return true
|
||||||
}
|
}
|
||||||
|
|
||||||
// Provide implements DockerConfigProvider
|
// Provide implements DockerConfigProvider
|
||||||
@ -187,6 +200,14 @@ func (g *ContainerRegistryProvider) Enabled() bool {
|
|||||||
if !onGCEVM() {
|
if !onGCEVM() {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if credentialprovider.AreLegacyCloudCredentialProvidersDisabled() {
|
||||||
|
warnOnce.Do(func() {
|
||||||
|
klog.V(4).Infof("GCP credential provider is now disabled. Please refer to sig-cloud-provider for guidance on external credential provider integration for GCP")
|
||||||
|
})
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
// Given that we are on GCE, we should keep retrying until the metadata server responds.
|
// Given that we are on GCE, we should keep retrying until the metadata server responds.
|
||||||
value := runWithBackoff(func() ([]byte, error) {
|
value := runWithBackoff(func() ([]byte, error) {
|
||||||
value, err := gcpcredential.ReadURL(serviceAccounts, g.Client, metadataHeader)
|
value, err := gcpcredential.ReadURL(serviceAccounts, g.Client, metadataHeader)
|
||||||
|
|||||||
@ -21,7 +21,9 @@ import (
|
|||||||
"sort"
|
"sort"
|
||||||
"sync"
|
"sync"
|
||||||
|
|
||||||
|
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||||
"k8s.io/klog/v2"
|
"k8s.io/klog/v2"
|
||||||
|
"k8s.io/kubernetes/pkg/features"
|
||||||
)
|
)
|
||||||
|
|
||||||
// All registered credential providers.
|
// All registered credential providers.
|
||||||
@ -44,6 +46,12 @@ func RegisterCredentialProvider(name string, provider DockerConfigProvider) {
|
|||||||
providers[name] = provider
|
providers[name] = provider
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// AreLegacyCloudCredentialProvidersDisabled checks if the legacy in-tree cloud
|
||||||
|
// credential providers have been disabled.
|
||||||
|
func AreLegacyCloudCredentialProvidersDisabled() bool {
|
||||||
|
return utilfeature.DefaultFeatureGate.Enabled(features.DisableKubeletCloudCredentialProviders)
|
||||||
|
}
|
||||||
|
|
||||||
// NewDockerKeyring creates a DockerKeyring to use for resolving credentials,
|
// NewDockerKeyring creates a DockerKeyring to use for resolving credentials,
|
||||||
// which draws from the set of registered credential providers.
|
// which draws from the set of registered credential providers.
|
||||||
func NewDockerKeyring() DockerKeyring {
|
func NewDockerKeyring() DockerKeyring {
|
||||||
|
|||||||
@ -595,6 +595,12 @@ const (
|
|||||||
// Disable any functionality in kube-apiserver, kube-controller-manager and kubelet related to the `--cloud-provider` component flag.
|
// Disable any functionality in kube-apiserver, kube-controller-manager and kubelet related to the `--cloud-provider` component flag.
|
||||||
DisableCloudProviders featuregate.Feature = "DisableCloudProviders"
|
DisableCloudProviders featuregate.Feature = "DisableCloudProviders"
|
||||||
|
|
||||||
|
// owner: @andrewsykim
|
||||||
|
// alpha: v1.22
|
||||||
|
//
|
||||||
|
// Disable in-tree functionality in kubelet to authenticate to cloud provider container registries for image pull credentials.
|
||||||
|
DisableKubeletCloudCredentialProviders featuregate.Feature = "DisableKubeletCloudCredentialProviders"
|
||||||
|
|
||||||
// owner: @zshihang
|
// owner: @zshihang
|
||||||
// alpha: v1.20
|
// alpha: v1.20
|
||||||
// beta: v1.21
|
// beta: v1.21
|
||||||
@ -895,6 +901,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
|
|||||||
CSIVolumeHealth: {Default: false, PreRelease: featuregate.Alpha},
|
CSIVolumeHealth: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
WindowsHostProcessContainers: {Default: false, PreRelease: featuregate.Alpha},
|
WindowsHostProcessContainers: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
DisableCloudProviders: {Default: false, PreRelease: featuregate.Alpha},
|
DisableCloudProviders: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
|
DisableKubeletCloudCredentialProviders: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
StatefulSetMinReadySeconds: {Default: false, PreRelease: featuregate.Alpha},
|
StatefulSetMinReadySeconds: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
ExpandedDNSConfig: {Default: false, PreRelease: featuregate.Alpha},
|
ExpandedDNSConfig: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
SeccompDefault: {Default: false, PreRelease: featuregate.Alpha},
|
SeccompDefault: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user