K
Q

Access GCP Cloud DNS from pods on GKE

9/27/2016

I’m investigating this letsencrypt controller (https://github.com/tazjin/kubernetes-letsencrypt).

It requires pods have permission to make changes to records in Cloud DNS. I thought with the pods running on GKE I’d get that access with the default service account, but the requests are failing. What do I need to do do to allow the pods access to Cloud DNS?

-- Andy Hume
google-cloud-dns
google-cloud-platform
google-kubernetes-engine
kubernetes
lets-encrypt

Similar Questions

configure kubelet to use rkt instead of docker on coreos
Can you change load balancer type on GCE?
Using Graphite for stats - from Serverless Infrastructure
Application Default Credential Is Not Working on Google Container Engine

1 Answer

9/27/2016

The Google Cloud DNS API's changes.create call requires either the https://www.googleapis.com/auth/ndev.clouddns.readwrite or https://www.googleapis.com/auth/cloud-platform scope, neither of which are enabled by default on a GKE cluster.

You can add a new Node Pool to your cluster with the DNS scope by running:

gcloud container node-pools create np1 --cluster my-cluster --scopes https://www.googleapis.com/auth/ndev.clouddns.readwrite

Or, you can create a brand new cluster with the scopes you need, either by passing the --scopes flag to gcloud container clusters create, or in the New Cluster dialog in Cloud Console, click "More", and set the necessary scopes to "Enabled".

-- CJ Cullen
Source: StackOverflow