Starting with Kubernetes client 1.22, you may start seeing warning messages about your authentication mechanism when running commands. Here is an example when using gcloud for GKE cluster credentials.
WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.26+; use gcloud instead.
This is because the authentication provider-specific login code will be removed from kubectl completely in 1.26, and will instead be provided as plugins.
You can prepare for this deprecation by going ahead and installing the new authentication plugin today, you do not have to upgrade your cluster nor your kubectl version. In this article, I will provide instructions on installing the gke-gcloud-auth-plugin for GKE clusters.
Installing authentication plugin
If you are on a Debian/Ubuntu system and originally installed gcloud and its related components using apt, then run:
# install Google gke auth plugin sudo apt install google-cloud-sdk-gke-gcloud-auth-plugin -y # smoke test new auth plugin gke-gcloud-auth-plugin --version
If you instead installed using the gcloud component system:
gcloud components install gke-gcloud-auth-plugin
Backup old KUBECONFIG
In case you need to get back to the original configuration or do comparisons for troubleshooting, make a backup of your current KUBECONFIG.
cd ~/.kube cp config config.oldauth
Rewrite KUBECONFIG entry
Your legacy KUBECONFIG has an ‘auth-provider’ section that references gcloud for authentication. This needs to be removed and instead use an ‘exec’ section that references the new ‘gke-gcloud-auth-plugin’.
This sounds complicated, but is done automatically by gcloud when you run the following:
# set environment variable for using newer auth plugin export USE_GKE_GCLOUD_AUTH_PLUGIN=True # list current GKE clusters and their region|zone gcloud container clusters list # recreate kubeconfig entry for this cluster gcloud container clusters get-credentials <clusterName> --zone|region <zoneOrRegionOfCluster>
Validate change
With the KUBECONFIG entry for the cluster rewritten using the newer authentiation plugin, you should now be able to run a simple kubectl command without the deprecation warning.
kubectl get pods
REFERENCES
google, kubectl auth changes in 1.26
google, google auth client plugin deprecated in 1.22
kubernetes.io, client-go credentials plugin