From b7c24329e1b4cd4cd2fa4a7a4f6643e2028385bb Mon Sep 17 00:00:00 2001 From: Adriano Cunha Date: Tue, 21 Aug 2018 22:02:56 -0400 Subject: [PATCH] Properly fix acquire_cluster_admin_role() `kubectl` 1.11 doesn't recognize the `--username` and `--password` flags anymore. Because the `prow-tests` image uses `kubectl` 1.8, the Prow jobs are not broken (yet). The changes in #86 don't work because the context is not changed (nor restored), but the function works as long as the current user is an owner of the GCP project (which is not the case for Prow E2E test jobs). This change creates and uses a new context for the cluster admin, created the role binding, then switches back to the original context. This is more secure as no ACL changes are required for the current user, nor project wide ACL changes are performed. --- scripts/library.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/scripts/library.sh b/scripts/library.sh index efac7318b01..d9a2e0bdbab 100755 --- a/scripts/library.sh +++ b/scripts/library.sh @@ -164,10 +164,16 @@ function acquire_cluster_admin_role() { # might not have the necessary permission. local password=$(gcloud --format="value(masterAuth.password)" \ container clusters describe $2 --zone=$3) - kubectl config set-credentials cluster-admin --username=admin --password=${password} + kubectl config set-credentials cluster-admin \ + --username=admin --password=${password} + kubectl config set-context $(kubectl config current-context) \ + --user=cluster-admin kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole=cluster-admin \ --user=$1 + # Reset back to the default account + gcloud container clusters get-credentials \ + $2 --zone=$3 --project $(gcloud config get-value project) } # Runs a go test and generate a junit summary through bazel.