Suppose I want to do operations on Kubernetes objects from a client-side web app. The app logs the user into Google using OAuth2 and obtains cloud-platform auth scope. Now the app can call Google Cloud APIs such as GKE APIs. The app can now enumerate the GKE clusters: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters/list

What I do not understand is how to call Kubernetes APIs now. I need to connect to master, authenticate and use Kubernetes' REST APIs. So, I have the following questions:

1) How do I connect to the master? How do I get the address? 2) How do I authenticate with the master?

I've researched and I think I can get the master endpoint by calling the https://container.googleapis.com/v1/projects/XXX/locations/us-central1-a/clusters API and taking the endpoint attribute. The master authorization information seems to be in masterAuth. I need the token thought...

I've tried to connect to the master with the known-good token, but the browser's fetch function rejects my request with ERR_CERT_AUTHORITY_INVALID.

          // Error: net::ERR_CERT_AUTHORITY_INVALID
          const response = await fetch(
            "https://IP/api/v1/pods/",
            {
              headers: new Headers({
                "Authorization": "Bearer <token>",
                "Content-Type": "application/json; charset=utf-8"
              }),
            }
          );

I'm able to get the Certificate Authority information from the MasterAuth, but I do not know how to use it to make an HTTP GET call.

So, my most pressing part of the question is: Given the master endpoint API and MasterAuth (clusterCaCertificate and clientCertificate), how can I call the Kubernetes API from the browser.