[英]Access Kubernetes GKE cluster outside of GKE cluster with client-go?
I general for authenticating with kubernetes clusters from client-go I see that I have two options: 我一般用于从客户端使用kubernetes集群进行身份验证 - 我发现我有两个选择:
So it is easy to access clusterA from clusterA but not clusterB from clusterA. 因此很容易从clusterA访问clusterA,但不能从clusterA访问clusterB。
What are my options here? 我有什么选择? It seems that I just cannot pass
GOOGLE_APPLICATION_CREDENTIALS
and hope that client-go will take care of itself. 我似乎无法通过
GOOGLE_APPLICATION_CREDENTIALS
并希望client-go能够自行处理。
So my thinking: 所以我的想法:
gcloud container clusters get-credentials clusterA
and gcloud container clusters get-credentials clusterB
gcloud container clusters get-credentials clusterA
为集群创建带有令牌的kube配置gcloud container clusters get-credentials clusterA
和gcloud container clusters get-credentials clusterB
BuildConfigFromFlags
on clusterA BuildConfigFromFlags
在client-go中使用该kube配置文件 Is this the correct approach, or is there a simpler way? 这是正确的方法,还是有更简单的方法? I see that tokens have an expiration date?
我看到令牌有一个到期日期?
Update: 更新:
It seems I can also use CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud beta container clusters get-credentials clusterB --zone
. 看来我也可以使用
CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud beta container clusters get-credentials clusterB --zone
。 Which would add certificates to kube conf which I could use. 哪个会为我可以使用的kube conf添加证书。 But AFAIK those certificates cannot be revoked
但是AFAIK那些证书不能被撤销
client-go needs to know about: client-go需要了解:
(If you're using GKE, you can see these info in $HOME/.kube/config
, populated by gcloud container clusters get-credentials
command). (如果您正在使用GKE,则可以在
$HOME/.kube/config
看到这些信息,由gcloud container clusters get-credentials
命令填充)。
I recommend you to either: 我建议你:
Once you can create a *rest.Config
object in client-go, client-go will use the auth plugin that's specified in the kubeconfig file (or its in-memory equivalent you constructed). 一旦你可以在client-go中创建一个
*rest.Config
对象,client-go将使用在kubeconfig文件中指定的auth插件(或你构造的内存中的等价物)。 In gcp
auth plugin, it knows how to retrieve a token. 在
gcp
auth插件中,它知道如何检索令牌。
Then, Create a Cloud IAM Service Account and give it "Container Developer" role. 然后, 创建一个Cloud IAM服务帐户并将其赋予“Container Developer”角色。 Download its key.
下载它的密钥。
Now, you have two options: 现在,您有两种选择:
gcloud auth activate-service-account --key-file=key.json
KUBECONFIG=a.yaml gcloud container clusters get-credentials clusterA
KUBECONFIG=b.yaml gcloud container clusters get-credentials clusterB
Then create 2 different *rest.Client
objects, one created from a.yaml
, another from b.yaml
in your program. 然后创建2个不同的
*rest.Client
对象,一个是从a.yaml
创建的,另一个是从程序中的b.yaml
创建的。
Now your program will rely on gcloud
binary to retrieve token every time your token expires (every 1 hour). 现在,您的程序将依赖
gcloud
二进制文件来在每次令牌到期时(每1小时)检索一次令牌。
*rest.Config
objects for cluster A & B. *rest.Config
对象。 Hope this helps. 希望这可以帮助。
PS do not forget to import _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
in your Go program. PS不要忘记在Go程序中
import _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
。 This loads the gcp auth plugin! 这会加载gcp auth插件!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.