GCP: fix kubectl auth plugin deprecation warning by installing new auth plugin


Categories: Hyperscaler, Kubernetes

Starting with Kubernetes client 1.22, you may start seeing warning messages about your authentication mechanism when running commands.  Here is an example when using gcloud for GKE cluster credentials.

WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.26+; use gcloud instead.

This is because the authentication provider-specific login code will be removed from kubectl completely in 1.26, and will instead be provided as plugins.

You can prepare for this deprecation by going ahead and installing the new authentication plugin today, you do not have to upgrade your cluster nor your kubectl version.  In this article, I will provide instructions on installing the gke-gcloud-auth-plugin for GKE clusters.

Installing authentication plugin

If you are on a Debian/Ubuntu system and originally installed gcloud and its related components using apt, then run:

# install Google gke auth plugin
sudo apt install google-cloud-sdk-gke-gcloud-auth-plugin -y

# smoke test new auth plugin
gke-gcloud-auth-plugin --version

If you instead installed using the gcloud component system:

gcloud components install gke-gcloud-auth-plugin

Backup old KUBECONFIG

In case you need to get back to the original configuration or do comparisons for troubleshooting, make a backup of your current KUBECONFIG.

cd ~/.kube
cp config config.oldauth

Rewrite KUBECONFIG entry

Your legacy KUBECONFIG has an ‘auth-provider’ section that references gcloud for authentication.  This needs to be removed and instead use an ‘exec’ section that references the new ‘gke-gcloud-auth-plugin’.

This sounds complicated, but is done automatically by gcloud when you run the following:

# set environment variable for using newer auth plugin
export USE_GKE_GCLOUD_AUTH_PLUGIN=True

# list current GKE clusters and their region|zone
gcloud container clusters list

# recreate kubeconfig entry for this cluster
gcloud container clusters get-credentials <clusterName> --zone|region <zoneOrRegionOfCluster>

Validate change

With the KUBECONFIG entry for the cluster rewritten using the newer authentiation plugin, you should now be able to run a simple kubectl command without the deprecation warning.

kubectl get pods

 

REFERENCES

google, kubectl auth changes in 1.26

google, google auth client plugin deprecated in 1.22

gcloud utility

kubernetes.io, client-go credentials plugin