Merge branch '62772-disable-kubernetes-credential-passthrough' into 'master'

Remove fallback to platform credentials for managed project-level clusters Closes #62772 See merge request gitlab-org/gitlab-ce!29262

Merge branch '62772-disable-kubernetes-credential-passthrough' into 'master'
Remove fallback to platform credentials for managed project-level clusters Closes #62772 See merge request gitlab-org/gitlab-ce!29262
9f071146 · Thong Kuah · 148516ba · a87f0f39 · 9f071146 · 9f071146
Commit 9f071146 authored Jun 21, 2019 by Thong Kuah
5 changed files
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -91,19 +91,6 @@ module Clusters

          elsif kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project)
            variables.concat(kubernetes_namespace.predefined_variables)
-          elsif cluster.project_type?
-            # As of 11.11 a user can create a cluster that they manage themselves,
-            # which replicates the existing project-level cluster behaviour.
-            # Once we have marked all project-level clusters that make use of this
-            # behaviour as "unmanaged", we can remove the `cluster.project_type?`
-            # check here.
-            project_namespace = cluster.kubernetes_namespace_for(project)
-
-            variables
-              .append(key: 'KUBE_URL', value: api_url)
-              .append(key: 'KUBE_TOKEN', value: token, public: false, masked: true)
-              .append(key: 'KUBE_NAMESPACE', value: project_namespace)
-              .append(key: 'KUBECONFIG', value: kubeconfig(project_namespace), public: false, file: true)
          end

          variables.concat(cluster.predefined_variables)

--- a/changelogs/unreleased/62772-disable-kubernetes-credential-passthrough.yml
+++ b/changelogs/unreleased/62772-disable-kubernetes-credential-passthrough.yml
+---
+title: Disable Kubernetes credential passthrough for managed project-level clusters
+merge_request: 29262
+author:
+type: removed
--- a/doc/user/project/clusters/index.md
+++ b/doc/user/project/clusters/index.md
@@ -532,6 +532,14 @@ This job failed because the necessary resources were not successfully created.

 To find the cause of this error when creating a namespace and service account, check the [logs](../../../administration/logs.md#kuberneteslog).

+NOTE: **NOTE:**
+As of GitLab 12.1 we require [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+tokens for all project level clusters unless you unselect the
+[GitLab-managed cluster](#gitlab-managed-clusters) option. If you
+want to manage namespaces and service accounts yourself and don't
+want to provide a `cluster-admin` token to GitLab you must unselect this
+option or you will get the above error.
+
 Common reasons for failure include:

 - The token you gave GitLab did not have [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)

--- a/spec/models/clusters/platforms/kubernetes_spec.rb
+++ b/spec/models/clusters/platforms/kubernetes_spec.rb
@@ -281,14 +281,14 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching

      it_behaves_like 'setting variables'

-      it 'sets KUBE_TOKEN' do
-        expect(subject).to include(
+      it 'does not set KUBE_TOKEN' do
+        expect(subject).not_to include(
          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
        )
      end
    end

-    context 'kubernetes namespace is created with no service account token' do
+    context 'kubernetes namespace is created with service account token' do
      let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, :with_token, cluster: cluster) }

      it_behaves_like 'setting variables'
@@ -340,32 +340,6 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
      end
    end

-    context 'namespace is provided' do
-      let(:namespace) { 'my-project' }
-
-      before do
-        kubernetes.namespace = namespace
-      end
-
-      it_behaves_like 'setting variables'
-
-      it 'sets KUBE_TOKEN' do
-        expect(subject).to include(
-          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
-        )
-      end
-    end
-
-    context 'no namespace provided' do
-      it_behaves_like 'setting variables'
-
-      it 'sets KUBE_TOKEN' do
-        expect(subject).to include(
-          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
-        )
-      end
-    end
-
    context 'group level cluster' do
      let!(:cluster) { create(:cluster, :group, platform_kubernetes: kubernetes) }


--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -2656,8 +2656,8 @@ describe Project do
        let!(:cluster) { create(:cluster, :project, :provided_by_gcp) }
        let(:project) { cluster.project }

-        it 'returns variables from this service' do
-          expect(project.deployment_variables).to include(
+        it 'does not return variables from this service' do
+          expect(project.deployment_variables).not_to include(
            { key: 'KUBE_TOKEN', value: project.deployment_platform.token, public: false, masked: true }
          )
        end