Commit a87f0f39 authored by Tiger Watson's avatar Tiger Watson Committed by Thong Kuah

Remove project-level cluster credential fallback

Project-level clusters that made use of this legacy
behaviour have been migrated to unmanaged clusters,
so we are now free to remove this fallback.
parent 148516ba
......@@ -91,19 +91,6 @@ module Clusters
elsif kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project)
variables.concat(kubernetes_namespace.predefined_variables)
elsif cluster.project_type?
# As of 11.11 a user can create a cluster that they manage themselves,
# which replicates the existing project-level cluster behaviour.
# Once we have marked all project-level clusters that make use of this
# behaviour as "unmanaged", we can remove the `cluster.project_type?`
# check here.
project_namespace = cluster.kubernetes_namespace_for(project)
variables
.append(key: 'KUBE_URL', value: api_url)
.append(key: 'KUBE_TOKEN', value: token, public: false, masked: true)
.append(key: 'KUBE_NAMESPACE', value: project_namespace)
.append(key: 'KUBECONFIG', value: kubeconfig(project_namespace), public: false, file: true)
end
variables.concat(cluster.predefined_variables)
......
---
title: Disable Kubernetes credential passthrough for managed project-level clusters
merge_request: 29262
author:
type: removed
......@@ -532,6 +532,14 @@ This job failed because the necessary resources were not successfully created.
To find the cause of this error when creating a namespace and service account, check the [logs](../../../administration/logs.md#kuberneteslog).
NOTE: **NOTE:**
As of GitLab 12.1 we require [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
tokens for all project level clusters unless you unselect the
[GitLab-managed cluster](#gitlab-managed-clusters) option. If you
want to manage namespaces and service accounts yourself and don't
want to provide a `cluster-admin` token to GitLab you must unselect this
option or you will get the above error.
Common reasons for failure include:
- The token you gave GitLab did not have [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
......
......@@ -281,14 +281,14 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
it_behaves_like 'setting variables'
it 'sets KUBE_TOKEN' do
expect(subject).to include(
it 'does not set KUBE_TOKEN' do
expect(subject).not_to include(
{ key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
)
end
end
context 'kubernetes namespace is created with no service account token' do
context 'kubernetes namespace is created with service account token' do
let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, :with_token, cluster: cluster) }
it_behaves_like 'setting variables'
......@@ -340,32 +340,6 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
end
end
context 'namespace is provided' do
let(:namespace) { 'my-project' }
before do
kubernetes.namespace = namespace
end
it_behaves_like 'setting variables'
it 'sets KUBE_TOKEN' do
expect(subject).to include(
{ key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
)
end
end
context 'no namespace provided' do
it_behaves_like 'setting variables'
it 'sets KUBE_TOKEN' do
expect(subject).to include(
{ key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
)
end
end
context 'group level cluster' do
let!(:cluster) { create(:cluster, :group, platform_kubernetes: kubernetes) }
......
......@@ -2656,8 +2656,8 @@ describe Project do
let!(:cluster) { create(:cluster, :project, :provided_by_gcp) }
let(:project) { cluster.project }
it 'returns variables from this service' do
expect(project.deployment_variables).to include(
it 'does not return variables from this service' do
expect(project.deployment_variables).not_to include(
{ key: 'KUBE_TOKEN', value: project.deployment_platform.token, public: false, masked: true }
)
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment