Explicitly request basic auth and client cert on GKE cluster creation
Problem
GKE basic auth will be disabled by default starting in 1.12
We rely on cluster basic auth and client certificate for our integration with creation of new GKE clusters. For example we use the cluster basic auth and client certificate to create a cluster-admin service account, which is necessary for supporting RBAC.
In the next major version of GKE, clusters will have basic authentication and client certificate issuance disabled by default. We need to have these enabled.
Further details
Note: Starting in GKE 1.12, clusters will have basic authentication and client certificate issuance disabled by default.
https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#restrict_authn_methods
On February 18, 2019, a release note was put out
We expect the following changes in the coming weeks...GKE 1.12 will be made generally available.
Proposal
Update to explicitly request basic auth and client cert in a forward-compatible manner:
- Switch from implicit to explicitly setting
master_authwhen creating a new GKE cluster
- explicitly set
master_auth.username - explicitly set
master_auth.password(or see if GKE will auto generate a password?) - explicitly set
master_auth.client_certificate_config.issue_client_certificate
- As an additional point we will need update QA tests. This will be simple, we simply need to update the
gcloudcommand used.
WARNING: Starting in 1.12, new clusters will have basic authentication disabled by default. Basic authentication can be enabled (or disabled) manually using the `--[no-]enable-basic-auth` flag.
WARNING: Starting in 1.12, new clusters will not have a client certificate issued. You can manually enable (or disable) the issuance of the client certificate using the `--[no-]issue-client-certificate` flag.GKE Clusters are currently are v1.11.7-gke.4