Add email scope to GCP provided credential refresh #110
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/XS
Codecov Report
@@ Coverage Diff @@
## master #110 +/- ##
=======================================
Coverage 92.04% 92.04%
=======================================
Files 13 13
Lines 1182 1182
=======================================
Hits 1088 1088
Misses 94 94
Continue to review full report at Codecov.
|
|
/lgtm |
|
thanks for the pr. so you have tested it manually that it works, right? just want to double confirm. |
|
Yes, we've been running a patched version of this client with this change for the past few months in production and we haven't seen any adverse behaviour. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: axelsteingrimsson, yliaog The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
This would fix the issue described in: #54
This is similar to the PR to fix the issue with refreshing the service account token, except this is specifically targeted at addressing service account tokens that are authenticated using RBAC.
The issue is essentially that if the service account that is making a request to the Kubernetes API server and the request is authenticated using RBAC, then the access token will be invalid because it isn't signed by an email. By passing the
"https://www.googleapis.com/auth/userinfo.email"when creating the credentials it will generate an access token that can be authenticated using RBAC.