K
Q

Connect to dynamically create new cluster on GKE

3/30/2020

I am using the cloud.google.com/go SDK to programmatically provision the GKE clusters with the required configuration.

I set the ClientCertificateConfig.IssueClientCertificate = true (see https://pkg.go.dev/google.golang.org/genproto/googleapis/container/v1?tab=doc#ClientCertificateConfig). After the cluster is provisioned, I use the ca_certificate, client_key, client_secret returned for the same cluster (see https://pkg.go.dev/google.golang.org/genproto/googleapis/container/v1?tab=doc#MasterAuth). Now that I have the above 3 attributes, I try to generate the kubeconfig for this cluster (to be later used by helm)

Roughly, my kubeconfig looks something like this:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <base64_encoded_data>
    server: https://X.X.X.X
  name: gke_<project>_<location>_<name>
contexts:
- context:
    cluster: gke_<project>_<location>_<name>
    user: gke_<project>_<location>_<name>
  name: gke_<project>_<location>_<name>
current-context: gke_<project>_<location>_<name>
kind: Config
preferences: {}
users:
- name: gke_<project>_<location>_<name>
  user:
    client-certificate-data: <base64_encoded_data>
    client-key-data: <base64_encoded_data>

On running kubectl get nodes with above config I get the error: Error from server (Forbidden): serviceaccounts is forbidden: User "client" cannot list resource "serviceaccounts" in API group "" at the cluster scope

Interestingly if I use the config generated by gcloud, the only change is in the user section: user:

auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: /Users/ishankhare/google-cloud-sdk/bin/gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp

This configuration seems to work just fine. But as soon as I add client cert and client key data to it, it breaks: user:

auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: /Users/ishankhare/google-cloud-sdk/bin/gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
client-certificate-data: <base64_encoded_data>
client-key-data: <base64_encoded_data>

I believe I'm missing some details related to RBAC but I'm not sure what. Will you be able to provide me with some info here?

Also reffering to this question I've tried to only rely on Username - Password combination first, using that to apply a new clusterrolebinding in the cluster. But I'm unable to use just the username password approach. I get the following error:

error: You must be logged in to the server (Unauthorized)
-- Ishan Khare
go
google-kubernetes-engine
kubeconfig
kubectl

Similar Questions

no space left on device, which is unexpected. MountVolume.SetUp failed for volume in kubernetes cluster
Setting up kubernetes dashboard for typhoon
Kubernetes pod affinity - Scheduling pods on different nodes
Can Helm conditionally install main chart based on parameter in values.yaml

0 Answers