The method IsRunningOnComputeEngineNoCache checks that the metadata server returns the header Metadata-Flavor: Google. However, that endpoint will return an error if that same header is not also supplied in the request.
Notice in the following, curl-ing the endpoint does not return the header it's checking for:
# create a pod in my gke cluster
$ kubectl run -it --generator=run-pod/v1 --image google/cloud-sdk --namespace default workload-identity-test
# inside gce:
root@workload-identity-test:/# curl -v http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
* Trying 169.254.169.254...
* TCP_NODELAY set
* Connected to 169.254.169.254 (169.254.169.254) port 80 (#0)
> GET /computeMetadata/v1/instance/service-accounts/default/token HTTP/1.1
> Host: 169.254.169.254
> User-Agent: curl/7.52.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Mon, 10 Jun 2019 13:54:13 GMT
< Content-Length: 94
<
GKE Metadata Server encountered an error: Missing required header "Metadata-Flavor": "Google"
* Curl_http_done: called premature == 0
* Connection #0 to host 169.254.169.254 left intact
root@workload-identity-test:/#
Elsewhere in ComputeCredential it does add the header, but not for IsRunningOnComputeEngine.
I'll create a PR in a few moments
The method
IsRunningOnComputeEngineNoCachechecks that the metadata server returns the headerMetadata-Flavor: Google. However, that endpoint will return an error if that same header is not also supplied in the request.Notice in the following, curl-ing the endpoint does not return the header it's checking for:
Elsewhere in
ComputeCredentialit does add the header, but not forIsRunningOnComputeEngine.I'll create a PR in a few moments