[英]Using GKE service account credentials with kubectl
I am trying to invoke kubectl from within my CI system. 我正在尝试从我的CI系统中调用kubectl。 I wish to use a google cloud service account for authentication.
我希望使用Google云服务帐户进行身份验证。 I have a secret management system in place that injects secrets into my CI system.
我有一个秘密管理系统,可以将秘密注入到我的CI系统中。
However, my CI system does not have gcloud installed, and I do not wish to install that. 但是,我的CI系统没有安装gcloud,因此我不希望安装它。 It only contains kubectl.
它仅包含kubectl。 Is there any way that I can use a credentials.json file containing a gcloud service account (not a kubernetes service account) directly with kubectl?
有什么办法可以直接在kubectl中使用包含gcloud服务帐户(而不是kubernetes服务帐户)的certificate.json文件?
The easiest way to skip the gcloud CLI is to probably use the --token
option. 跳过gcloud CLI的最简单方法是使用
--token
选项。 You can get a token with RBAC by creating a service account and tying it to a ClusterRole
or Role
with either a ClusterRoleBinding
or RoleBinding
. 您可以通过创建一个服务帐户,并将其绑到获得与RBAC令牌
ClusterRole
或Role
与无论是ClusterRoleBinding
或RoleBinding
。
Then from the command line: 然后从命令行:
$ kubectl --token <token-from-your-service-account> get pods
You still will need a context
in your ~/.kube/config
: 您仍然需要
~/.kube/config
的context
:
- context:
cluster: kubernetes
name: kubernetes-token
Otherwise, you will have to use: 否则,您将必须使用:
$ kubectl --insecure-skip-tls-verify --token <token-from-your-service-account> -s https://<address-of-your-kube-api-server>:6443 get pods
Note that if you don't want the token to show up on the logs you can do something like this: 请注意,如果您不希望令牌显示在日志中,则可以执行以下操作:
$ kubectl --token $(cat /path/to/a/file/where/the/token/is/stored) get pods
Also, note that this doesn't prevent you from someone running ps -Af
on your box and grabbing the token from there, for the lifetime of the kubectl
process (It's a good idea to rotate the tokens) 另外,请注意,在
kubectl
进程的生命周期内,这并不能阻止您在盒子上运行ps -Af
并从那里获取令牌(旋转令牌是一个好主意)
Edit: 编辑:
You can use the --token-auth-file=/path/to/a/file/where/the/token/is/stored
with kubectl
to avoid passing it through $(cat /path/to/a/file/where/the/token/is/stored)
您可以使用
--token-auth-file=/path/to/a/file/where/the/token/is/stored
与kubectl
一起--token-auth-file=/path/to/a/file/where/the/token/is/stored
以避免通过$(cat /path/to/a/file/where/the/token/is/stored)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.