K
Q

kubectl oauth2 authentication with container engine fails

8/19/2016

I use the following commands in my deployment pipeline to set up kubectl for use with container engine

gcloud auth activate-service-account ***@***.iam.gserviceaccount.com --key-file /var/go/.gcloud/***.json
gcloud config set account ***@***.iam.gserviceaccount.com
gcloud config set project gcloud-projectx
gcloud container clusters get-credentials gke-cluster --zone europe-west1-c

Since a recent gcloud update when running kubectl version this fails with the following error

Client Version: version.Info{Major:"1", Minor:"3", GitVersion:"v1.3.4", GitCommit:"dd6b458ef8dbf24aff55795baa68f83383c9b3a9", GitTreeState:"clean", BuildDate:"2016-08-01T16:45:16Z", GoVersion:"go1.6.2", Compiler:"gc", Platform:"linux/amd64"}
error: You must be logged in to the server (the server has asked for the client to provide credentials)

With Google Cloud SDK 122.0.0 and kubectl-linux-x86_64 1.3.4, whereas Google Cloud SDK 119.0.0 and kubectl-linux-x86_64 1.2.5 outputs

Client Version: version.Info{Major:"1", Minor:"2", GitVersion:"v1.2.5", GitCommit:"25eb53b54e08877d3789455964b3e97bdd3f3bce", GitTreeState:"clean"}
Server Version: version.Info{Major:"1", Minor:"3", GitVersion:"v1.3.5", GitCommit:"b0deb2eb8f4037421077f77cb163dbb4c0a2a9f5", GitTreeState:"clean", BuildDate:"2016-08-11T20:21:58Z", GoVersion:"go1.6.2", Compiler:"gc", Platform:"linux/amd64"}

The gcloud and kubectl tooling has changed recently to use OAuth2 authentication instead of a client certificate, which causes the issue.

August 17, 2016

Kubernetes v1.3.5 is the default version for new clusters. gcloud changed the container/use_client_certificate property default value to false. This makes the gcloud container clusters create and gcloud container clusters get-credentials commands configure kubectl to use Google OAuth2 credentials by default instead of the legacy client certificate.

I can fix it on the newer version by reverting to client certificate authentication with these commands

gcloud config set container/use_client_certificate True
export CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True

My question is how can I get the OAuth2 authentication to work so I don't have to fall back to the client certificate authentication? I would have thought this would happen transparently and without errors.

-- Jorrit Salverda
google-kubernetes-engine
kubernetes

Similar Questions

celery won't connect to rabbitmq broker for kubernetes
Can't get Pod info in the kubernetes cluster
kubernetes how to set the maximum size of the log file?
GCP is killing nodes, where my one and only frontend and database pods are lying in

2 Answers

8/19/2016

Kubectl is configured to use Application Default Credentials to authenticate to the Kubernetes master. To specify the service account you want it to use, set GOOGLE_APPLICATION_CREDENTIALS to the location of your key file. So for you:

export GOOGLE_APPLICATION_CREDENTIALS=/var/go/.gcloud/***.json

Sorry it wasn't as transparent and frictionless as you (and we) hoped.

-- CJ Cullen
Source: StackOverflow
10/29/2016

As of last October 2016, you can use command gcloud container clusters get-credentials your-cluster-name to retrieve and set token from Google Cloud Platform.

To check whether the token is set for kubectl commands, issue command kubectl config view | grep access-token

-- Alex Ho
Source: StackOverflow