With this change, you can add --google_json_key=/path/to/key.json to the DAEMON_ARGS of the kubelet, e.g.
nano /etc/default/kubelet
... # Add the flag
service kubelet restart
With this setting, minions will be able to authenticate with gcr.io repositories nearly as smoothly as if K8s were running on GCE.
NOTE: This private key can be used to access most project resources, consider dropping the service account created through this flow to a project READER, or restricting its access to just the GCS bucket containing the container images.
In particular, a few of the utilities used within the credentialprovider had the pattern:
glog.Errorf("while blah %s: %v", s, err)
return nil, err
This change propagates those error message and puts the burden of logging on the caller.
In particular, this allows us to squelch all output during kubelet startup when we are detecting whether certain credentialprovider plugins should even be enabled.
Fixes: https://github.com/GoogleCloudPlatform/kubernetes/issues/2673
This change refactors the way Kubelet's DockerPuller handles the docker config credentials to utilize a new credentialprovider library.
The credentialprovider library is based on several of the files from the Kubelet's dockertools directory, but supports a new pluggable model for retrieving a .dockercfg-compatible JSON blob with credentials.
With this change, the Kubelet will lazily ask for the docker config from a set of DockerConfigProvider extensions each time it needs a credential.
This change provides common implementations of DockerConfigProvider for:
- "Default": load .dockercfg from disk
- "Caching": wraps another provider in a cache that expires after a pre-specified lifetime.
GCP-only:
- "google-dockercfg": reads a .dockercfg from a GCE instance's metadata
- "google-dockercfg-url": reads a .dockercfg from a URL specified in a GCE instance's metadata.
- "google-container-registry": reads an access token from GCE metadata into a password field.
Vanya Tarasov