K
Q

Generating a kubeconfig file and authenticating for google cloud

8/26/2021

I have a Kubernetes cluster. Inside my cluster is a Django application which needs to connect to my Kubernetes cluster on GKE. Upon my Django start up (inside my Dockerfile), I authenticate with Google Cloud by using:

gcloud auth activate-service-account $GKE_SERVICE_ACCOUNT_NAME --key-file=$GOOGLE_APPLICATION_CREDENTIALS
gcloud config set project $GKE_PROJECT_NAME
gcloud container clusters get-credentials $GKE_CLUSTER_NAME --zone $GKE_ZONE

I am not really sure if I need to do this everytime my Django container starts, and I am not sure I understand how authentication to Google Cloud works. Could I perhaps just generate my Kubeconfig file, store it somewhere safe and use it all the time instead of authenticating? In other words, is a Kubeconfig file enough to connect to my GKE cluster?

-- s3nti3ntB
google-cloud-platform
google-kubernetes-engine
kubernetes

Similar Questions

OpenShift - External Database Environment Variables
kubectl replace -f says it has replaces a resource, but it actually hasn't
Deploy Nodejs app on google kubernetes engine using Docker and PM2
How to create and mount common data for all pods
How to broadcast gRPC streams inter pods

1 Answer

8/27/2021

If your service is running in a Pod inside the GKE cluster you want to connect to, use a Kubernetes service account to authenticate.

  1. Create a Kubernetes service account and attach it to your Pod. If your Pod already has a Kubernetes service account, you may skip this step.

  2. Use Kubernetes RBAC to grant the Kubernetes service account the correct permissions.

The following example grants edit permissions in the prod namespace:

kubectl create rolebinding yourserviceaccount \
    --clusterrole=edit \
    --serviceaccount=yournamespace:yourserviceaccount\
    --namespace=prod
  1. At runtime, when your service invokes kubectl, it automatically receives the credentials you configured.

You can also store the credentials as a secret and mount it on your pod so that it can read them from there

To use a Secret with your workloads, you can specify environment variables that reference the Secret's values, or mount a volume containing the Secret.

You can create a Secret using the command-line or a YAML file.

Here is an example using Command-line

kubectl create secret SECRET_TYPE SECRET_NAME DATA

SECRET_TYPE: the Secret type, which can be one of the following:

  • generic:Create a Secret from a local file, directory, or literal value.
  • docker-registry:Create a dockercfg Secret for use with a Docker registry. Used to authenticate against Docker registries.
  • tls:Create a TLS secret from the given public/private key pair. The public/private key pair must already exist. The public key certificate must be .PEM encoded and match the given private key.

For most Secrets, you use the generic type.

SECRET_NAME: the name of the Secret you are creating.

DATA: the data to add to the Secret, which can be one of the following:

  • A path to a directory containing one or more configuration files, indicated using the --from-file or --from-env-file flags.
  • Key-value pairs, each specified using --from-literal flags.

If you need more information about kubectl create you can check the reference documentation

-- Jorge Navarro
Source: StackOverflow