Document setting up cloud provider kubectl auth via plugin (AKS, GKE)

[sftim]

This is a Feature Request

What would you like to be added
(As I understand it), Kubernetes v1.25 v1.26 ships an updated kubectl. The updated kubectl won't include built-in plugins for authenticating to AKS or GKE.
This is likely to surprise folks.

Update 3 pages:

• https://kubernetes.io/docs/tasks/tools/install-kubectl-linux
• https://kubernetes.io/docs/tasks/tools/install-kubectl-macos
• https://kubernetes.io/docs/tasks/tools/install-kubectl-windows

to signpost users to the right internal and external docs. We can remove this signposting once Kubernetes v1.27 (sic) is the oldest supported version of Kubernetes (consider adding an HTML comment with that detail).

Optionally, also update https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins to mention that earlier versions of kubectl included built-in support for authenticating to AKS and GKE, but this is no longer present.

Why is this needed
Readers may follow the “install kubectl” docs and get a tool that's missing functionality they thought was built in.

Comments

The gcp and azure auth plugins have been removed from client-go and kubectl. See AKS and GKE documentation for details about the cloud-specific replacements.

/sig cli
/language en

[annajung]

/triage accepted
/priority important-soon

[shannonxtreme]

For each of the three pages, add the following under the Verify kubectl configuration heading, at the end of the section:

### Panic: no auth provider found error message

{{% thirdparty-content %}}

In Kubernetes v1.26, kubectl removed the built-in authentication for the following cloud
providers' managed Kubernetes offerings. These providers have released kubectl plugins
to fix the authentication. For instructions, refer to the following provider documentation:

*  AKS (Azure): [kubelogin plugin](https://github.com/Azure/kubelogin)
*  GKE (Google Cloud): [gke-gcloud-auth-plugin](https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl#install_plugin)

[shannonxtreme]

/help-wanted

[k8s-ci-robot]

@shannonxtreme: The label(s) /label help-wanted cannot be applied. These labels are supported: api-review, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, team/katacoda, refactor

In response to this:

/label help-wanted

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[sftim]

/help

[k8s-ci-robot]

@sftim:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[kadtendulkar]

/assign

[reylejano]

Kubernetes 1.25.0 did not remove Google and Azure auth plugins due to a regression issue, see kubernetes/kubernetes#111911 (comment). The revert is in PR kubernetes/kubernetes#111918

[sftim]

This change is likely to arrive in v1.26, so we should get it staffed.

[sftim]

@shannonxtreme would you be willing to change the minor version in #35896 (comment) ?

[palnabarun]

@enj @liggitt -- as author/reviewer of the External Credential Provider KEP, can you please review the doc change suggested by @shannonxtreme in #35896 (comment)?

[liggitt]

A few suggestions:

• I probably would not put "panic" in the heading title
• Can we link to https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins as well
• I'm on the fence about whether we need the cloud-specific links in this doc... if you try to use them in a kubectl version that has removed them, you already get a message output at time of use with the appropriate link/reference. If we do keep those links, I would say something like "These providers have released kubectl plugins to provide the cloud-specific authentication." instead of "fix the authentication"

[enj]

I'm on the fence about whether we need the cloud-specific links in this doc... if you try to use them in a kubectl version that has removed them, you already get a message output at time of use with the appropriate link/reference.

I personally do not think the kube authn docs should contain cloud-specific links. It is on the cloud providers to migrate their users anyway, and the cloud CLI tools are fully capable of hiding the bulk of this migration by performing runtime checks and/or preferring credential plugins over the legacy approach.

[sftim]

I agree about not including cloud-provider-specific links. Integrations with cloud providers are not required for a (vanilla) Kubernetes cluster to function.

See https://github.com/kubernetes/enhancements/tree/master/keps/sig-docs/1326-third-party-content-in-docs#readme for some more context.

[sftim]

We can instead advise readers to search in their cloud provider's documentation for further advice.

[krol3]

Hello @kadtendulkar 👋, 1.26 Release Docs Lead here. This feature request needs Docs for 1.26 release.

Please follow the steps detailed in the documentation to open a PR against dev-1.26 branch in the k/website repo. This PR can be just a placeholder at this time, and must be created by November 10. Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Any doubt, reach us! Thank you!

[kadtendulkar]

/unassign

[k8s-triage-robot]

This issue is labeled with priority/important-soon but has not been updated in over 90 days, and should be re-triaged.
Important-soon issues must be staffed and worked on either currently, or very soon, ideally in time for the next release.

You can:

• Confirm that this issue is still relevant with /triage accepted (org members only)
• Deprioritize it with /priority important-longterm or /priority backlog
• Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

[sftim]

//remove-priority important-soon
/priority important-longterm
/triage accepted

[sftim]

/remove-priority important-soon

[coder12git]

@sftim, could you kindly provide a detailed description of the issue once more? Upon reviewing the above comments, it appears that numerous changes have been implemented.

[sftim]

@sftim, could you kindly provide a detailed description of the issue once more? Upon reviewing the above comments, it appears that numerous changes have been implemented.

---

#35896 (comment) looks right to me.

The task is to update 3 pages:

• https://kubernetes.io/docs/tasks/tools/install-kubectl-linux
• https://kubernetes.io/docs/tasks/tools/install-kubectl-macos
• https://kubernetes.io/docs/tasks/tools/install-kubectl-windows

to signpost users to the right internal and external docs. We can remove this signposting once Kubernetes v1.27 (sic) is the oldest supported version of Kubernetes (consider adding an HTML comment with that detail).

Optionally, also update https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins to mention that earlier versions of kubectl included built-in support for authenticating to AKS and GKE, but this is no longer present.

In terms of the “right internal and internal docs” to link to, you should use your judgement. You could link to https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins or to a task page; you might need to write the task page first.

Any more questions? It's clear to me, but I might have missed something.

[coder12git]

/assign

[coder12git]

@sftim, could you kindly provide a detailed description of the issue once more? Upon reviewing the above comments, it appears that numerous changes have been implemented.

#35896 (comment) looks right to me.

The task is to update 3 pages:

• https://kubernetes.io/docs/tasks/tools/install-kubectl-linux
• https://kubernetes.io/docs/tasks/tools/install-kubectl-macos
• https://kubernetes.io/docs/tasks/tools/install-kubectl-windows

to signpost users to the right internal and external docs. We can remove this signposting once Kubernetes v1.27 (sic) is the oldest supported version of Kubernetes (consider adding an HTML comment with that detail).
Optionally, also update https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins to mention that earlier versions of kubectl included built-in support for authenticating to AKS and GKE, but this is no longer present.

In terms of the “right internal and internal docs” to link to, you should use your judgement. You could link to https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins or to a task page; you might need to write the task page first.

Any more questions? It's clear to me, but I might have missed something.

Thanks @sftim , I am working on this, will create a PR soon ;)