K
Q

How can I allow API access to a GKE K8S cluster without modifying the HTTP client

1/15/2020

I set up a k8s cluster on GKE.

I want to control it via the k8s REST API (so, looking at deployments on pods and whatnot, but not accessing what is actually running on the k8s cluster over SSL). I have gotten the appropriate bearer token (curl --insecure [request] works) and can make API requests. However, the SSL certificate isn't valid for my client (it's java, if that matters). I can't easily modify the client to accept the new root cert at this time.

I have been digging around and have examine the following three options:

  • incorporate the cluster's root CA cert into another cert chain (from my limited understanding of TLS, I'm not sure this is possible) that exists in my client already.
  • replace the cluster root CA cert (so that I can use something my client has in its keystore). This implies you can do this with vanilla k8s, but this implies that you cannot using GKE: "An internal Google service manages root keys for this CA, which are non-exportable."
  • allow k8s API access without TLS. I haven't seen anything about this in the docs, which are pretty explicit that k8s API access over the network must use TLS

Are any of these viable options? Or is my best choice to modify the client?

-- mooreds
google-kubernetes-engine
kubernetes
kubernetes-apiserver
ssl

Similar Questions

Azure Pipeline Need to pass the power shell output to Kubernetes config map seems like Kubernetes task is not reading the variable at all
Multiple servers generating error 500 in HANGFIRE
Airflow - How to run a KubernetesPodOperator with a non exiting command
Istio - Block certain IPs to access services
ingress does not work with GRPC gateway. HTTP requests are not being forwarded to GRPC gateway as expected by the ingress
Rest endpoint for getting bearer token of a Kubernetes cluster

2 Answers

1/15/2020

Based on some other feedback (in a slack), I ended up putting a proxy between my GKE cluster and my client. Then I can just add the GKE cluster k8s ca cert to the proxy's keystore (and don't have to modify the client). For my purposes, I didn't need to have the proxy use SSL, but for production I would.

-- mooreds
Source: StackOverflow
1/15/2020

There is an article named "Access Clusters Using the Kubernetes API" (https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/) that addresses your concerns about how to query the REST API using a Java Client (https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#java-client)

If you are using the Java app inside a POD, you can import your cluster's CA to your Java Trust Store (https://docs.oracle.com/cd/E19509-01/820-3503/6nf1il6er/index.html). The CA certificate of for your cluster is inside all pods running within your cluster on /var/run/secrets/kubernetes.io/serviceaccount/ca.crt directory. More information in (https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#without-using-a-proxy)

Regarding your questions:

1.- Import the your cluster's CA cert to your trust store.

2.- You can't set your own CA in GKE, but you can rotate the CA certificate if needed (https://cloud.google.com/kubernetes-engine/docs/how-to/credential-rotation)

3.- You can't deactivate TLS communication in GKE (https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-trust)

Your best option is to use the official Java Client or ADD the CA to your current development.

-- Armando Cuevas
Source: StackOverflow