K
Q

Getting kubernetes config file using google-cloud API

4/17/2020

I'm able to play around with google cloud's kubernetes API like this:

import os
import time
import json
from pprint import pprint

from google.oauth2 import service_account
import googleapiclient.discovery
from six.moves import input

# https://developers.google.com/identity/protocols/oauth2/scopes
scopes = [
    'https://www.googleapis.com/auth/cloud-platform',
    'https://www.googleapis.com/auth/compute'
]
credentials = service_account.Credentials.from_service_account_file(
    'service_account.json',
    scopes = scopes
)


container = googleapiclient.discovery.build('container', 'v1', credentials = credentials)
loc = container.projects().locations()
client = loc.getServerConfig(name="projects/MY_PROJECT/locations/europe-west1-b")
client.execute()

However, I'd like to achieve the equivalent of

gcloud container clusters get-credentials MY_CLUSTER --zone=europe-west1-b --project MY_PROJECT

i.e. get the complete kubernetes config+autorization file (which I can then use with kubernetes python module)

When looking at the API

https://cloud.google.com/kubernetes-engine/docs/reference/rest

It seems to be missing that get-credentials call? Or am I at the wrong API?

-- El Sampsa
google-kubernetes-engine
kubernetes

Similar Questions

Difference between Kubernetes Service Account Tokens from secret and projected volume
kubectl create / apply synchronously until each object is created
Can't Unlock WSO2 Identity Server user using the REST request
New pods not used after horizontal pod scaling in Google Kubernetes Engine

1 Answer

4/17/2020

Google Cloud uses a short lived token (about 10 seconds) and uses gcloud tools to refresh/obtain the token.

If you want to create a long lived token, you can create a service account here https://console.cloud.google.com/iam-admin/serviceaccounts with the role "Kubernetes engine developer" and download the JSON file. Configure your kubeconfig to use gcp auth provider, for example

 [{name: user-1, user: {auth-provider: {name: gcp}}}]

Set the environment variable GOOGLE_APPLICATION_CREDENTIALS to the absolute path to the JSON file downloaded for the service account. Works with kubectl as it has special support for it.

If you want to use it with f.e. python you need to obtain the token from the serviceaccount

kubectl describe serviceaccount myserviceaccount
kubectl describe secrets [secret-name]

This can be used in the library

config.load_kube_config()
client.configuration.api_key['authorization'] = 'your token goes here'
client.configuration.api_key_prefix['authorization'] = 'Bearer'

Note that long lived credentials must be guarded especially well.

-- Thomas
Source: StackOverflow