Remove project-level cluster credential fallback62772-disable-kubernetes-credential-passthrough

Project-level clusters that made use of this legacy
behaviour have been migrated to unmanaged clusters,
so we are now free to remove this fallback.

5 files changed, 18 insertions, 44 deletions

diff --git a/app/models/clusters/platforms/kubernetes.rb b/app/models/clusters/platforms/kubernetes.rb
index 272861cacf0..2afe471d1cc 100644
--- a/app/models/clusters/platforms/kubernetes.rb
+++ b/app/models/clusters/platforms/kubernetes.rb
@@ -91,19 +91,6 @@ module Clusters
 
           elsif kubernetes_namespace = cluster.kubernetes_namespaces.has_service_account_token.find_by(project: project)
             variables.concat(kubernetes_namespace.predefined_variables)
-          elsif cluster.project_type?
-            # As of 11.11 a user can create a cluster that they manage themselves,
-            # which replicates the existing project-level cluster behaviour.
-            # Once we have marked all project-level clusters that make use of this
-            # behaviour as "unmanaged", we can remove the `cluster.project_type?`
-            # check here.
-            project_namespace = cluster.kubernetes_namespace_for(project)
-
-            variables
-              .append(key: 'KUBE_URL', value: api_url)
-              .append(key: 'KUBE_TOKEN', value: token, public: false, masked: true)
-              .append(key: 'KUBE_NAMESPACE', value: project_namespace)
-              .append(key: 'KUBECONFIG', value: kubeconfig(project_namespace), public: false, file: true)
           end
 
           variables.concat(cluster.predefined_variables)
diff --git a/changelogs/unreleased/62772-disable-kubernetes-credential-passthrough.yml b/changelogs/unreleased/62772-disable-kubernetes-credential-passthrough.yml
new file mode 100644
index 00000000000..35771e80821
--- /dev/null
+++ b/changelogs/unreleased/62772-disable-kubernetes-credential-passthrough.yml
@@ -0,0 +1,5 @@
+---
+title: Disable Kubernetes credential passthrough for managed project-level clusters
+merge_request: 29262
+author:
+type: removed
diff --git a/doc/user/project/clusters/index.md b/doc/user/project/clusters/index.md
index 181b20dc710..7da91f7dc54 100644
--- a/doc/user/project/clusters/index.md
+++ b/doc/user/project/clusters/index.md
@@ -530,6 +530,14 @@ This job failed because the necessary resources were not successfully created.
 
 To find the cause of this error when creating a namespace and service account, check the [logs](../../../administration/logs.md#kuberneteslog).
 
+NOTE: **NOTE:**
+As of GitLab 12.0 we require [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
+tokens for all project level clusters unless you unselect the
+[GitLab-managed cluster](#gitlab-managed-clusters) option. If you
+want to manage namespaces and service accounts yourself and don't
+want to provide a `cluster-admin` token to GitLab you must unselect this
+option or you will get the above error.
+
 Common reasons for failure include:
 
 - The token you gave GitLab did not have [`cluster-admin`](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
diff --git a/spec/models/clusters/platforms/kubernetes_spec.rb b/spec/models/clusters/platforms/kubernetes_spec.rb
index 1fb3a8de808..0fa5d031736 100644
--- a/spec/models/clusters/platforms/kubernetes_spec.rb
+++ b/spec/models/clusters/platforms/kubernetes_spec.rb
@@ -281,14 +281,14 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
 
       it_behaves_like 'setting variables'
 
-      it 'sets KUBE_TOKEN' do
-        expect(subject).to include(
+      it 'does not set KUBE_TOKEN' do
+        expect(subject).not_to include(
           { key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
         )
       end
     end
 
-    context 'kubernetes namespace is created with no service account token' do
+    context 'kubernetes namespace is created with service account token' do
       let!(:kubernetes_namespace) { create(:cluster_kubernetes_namespace, :with_token, cluster: cluster) }
 
       it_behaves_like 'setting variables'
@@ -340,32 +340,6 @@ describe Clusters::Platforms::Kubernetes, :use_clean_rails_memory_store_caching
       end
     end
 
-    context 'namespace is provided' do
-      let(:namespace) { 'my-project' }
-
-      before do
-        kubernetes.namespace = namespace
-      end
-
-      it_behaves_like 'setting variables'
-
-      it 'sets KUBE_TOKEN' do
-        expect(subject).to include(
-          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
-        )
-      end
-    end
-
-    context 'no namespace provided' do
-      it_behaves_like 'setting variables'
-
-      it 'sets KUBE_TOKEN' do
-        expect(subject).to include(
-          { key: 'KUBE_TOKEN', value: kubernetes.token, public: false, masked: true }
-        )
-      end
-    end
-
     context 'group level cluster' do
       let!(:cluster) { create(:cluster, :group, platform_kubernetes: kubernetes) }
 
diff --git a/spec/models/project_spec.rb b/spec/models/project_spec.rb
index 20b98b5eb85..cc0f5002a1e 100644
--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -2656,8 +2656,8 @@ describe Project do
         let!(:cluster) { create(:cluster, :project, :provided_by_gcp) }
         let(:project) { cluster.project }
 
-        it 'returns variables from this service' do
-          expect(project.deployment_variables).to include(
+        it 'does not return variables from this service' do
+          expect(project.deployment_variables).not_to include(
             { key: 'KUBE_TOKEN', value: project.deployment_platform.token, public: false, masked: true }
           )
         end