I've been working on a python project with the goal to interact with Kubernetes. One of the problems I have run into is the authentication process. Similar to this question I get the error
google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://cloud.google.com/docs/authentication/getting-started
I understand that this is probably due to the fact that I use pycharm. However, when I run it from the terminal, I get this error:
kubernetes.client.rest.ApiException: (403) Reason: Forbidden HTTP response headers: HTTPHeaderDict({'Audit-Id': 'XXXXXXXXXXX', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'XXXXXXXXXXXXXXXX', 'Content-Length': 'XXX'}) HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"deployments.extensions is forbidden: User \"XXXXXXXXXXXXXXXXXXX\" cannot create deployments.extensions in the namespace \"default\": Required \"container.deployments.create\" permission.","reason":"Forbidden","details":{"group":"extensions","kind":"deployments"},"code":403}
However, when I change my code from:
os.system(f"gcloud container clusters get-credentials {cluster_name} --zone {zone} --project {project}")to
os.system(f"gcloud container clusters get-credentials {cluster_name} --zone {zone} --project {project}")
os.system("kubectl run hello-server --image gcr.io/google-samples/hello-app:1.0 --port 8080")
os.system("kubectl delete deployments hello-server")I can authenticate and all other functionality is exactly as it should be. I don't understand why this is. I think it's probably an indication something is wrong and would like to fix it before continuing. Does anybody know what is happening here, and how to fix it?
What about to use kubernetes client for python ?
https://github.com/kubernetes-client/python
Check this example for remote cluster access:
https://github.com/kubernetes-client/python/blob/master/examples/remote_cluster.py
From your error description I can see, that You are not having problem with authentication but authorization to Kubernetes. These are two different things.
The error message you posted should be interpreted in following way:
"You are not authorized to perform "create" action on "deployment" object."
The mechanism that blocks your user access to specific operation on cluster resources is called RBAC - role-based access control (RBAC), which is built in GKE, and generally enabled in Kubernetes 1.6 onwards.
How to solve your problem:
The queasiest way is to use one of predefined Cloud AIM roles for Kubernetes clusters, e.g. "roles/ container.admin", which will be mapped automatically to ClusterRole (cluster-admin). Please keep in mind to apply "principle of least privilege", especially for production clusters.
If you created a GCP Service Account in step #1
download its key in JSON format
Provide authentication credentials to your application code by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS
I'm setting it up directly inside my python app:
import os
os.environ["GOOGLE_APPLICATION_CREDENTIALS"]='gke-admin-svc-key.json'
From now on you should be able to interact with your cluster from outside, in context of GCP service account, which should be reflected in audit logs:
authenticationInfo: {
principalEmail: "<id_of_your_svc_account>"
}
authorizationInfo: [
0: {
granted: true
permission: "io.k8s.core.v1.pods.list"
resource: "core/v1/pods"
}
]