堆栈内存溢出
  简体   繁体   English

使用 Google IAM 服务帐户对 Kubectl 进行身份验证

[英]Authenticate Kubectl using Google IAM service account

 原文  2019-02-21 14:37:44       kubernetes/ google-compute-engine/ google-kubernetes-engine/ kubectl/ google-iam

问题描述

I have got a Google Cloud IAM service account key file (in json format) that contains below data.我有一个包含以下数据的 Google Cloud IAM 服务帐户密钥文件(json 格式)。

{
"type": "service_account",
"project_id": "****",
"private_key_id":"****",
"private_key": "-----BEGIN PRIVATE KEY----blah blah -----END PRIVATE KEY-----\n",
"client_email": "*****",
"client_id": "****",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth/v1/certs",
"client_x509_cert_url": "****"
}

I can use this service account to access kubernetes API server by passing this key file to kube API client libraries.通过将此密钥文件传递给 kube API 客户端库,我可以使用此服务帐户访问 kubernetes API 服务器。

But, I'm not finding any way to pass this service account to kubectl binary to have kubectl get authenticated to project for which this service account created for.但是,我没有找到任何方法将此服务帐户传递给 kubectl 二进制文件,以使 kubectl 获得为此服务帐户创建的项目的身份验证。

Is there any way that I can use to make Kubectl to use this service account file for authentication ?有什么方法可以让 Kubectl 使用此服务帐户文件进行身份验证?

1 个解决方案

解决方案1
 1  2019-02-21 21:07:53

This answer provides some guidance: Access Kubernetes GKE cluster outside of GKE cluster with client-go?此答案提供了一些指导: 使用 client-go 访问 GKE 集群之外的 Kubernetes GKE 集群? but it's not complete.但它并不完整。

You need to do two things:你需要做两件事:

  1. set GOOGLE_APPLICATION_CREDENTIALS environment variable to path to your JSON key file for the IAM service account, and use kubectl while this variable is set, you should be authenticated with the token.GOOGLE_APPLICATION_CREDENTIALS环境变量设置为 IAM 服务帐户的 JSON 密钥文件的路径,并在设置此变量时使用kubectl ,您应该使用令牌进行身份验证。

  2. (this may be optional, not sure) Create a custom KUBECONFIG that only contains your cluster IP and CA certificate, save this file, and use it to connect to the cluster. (这可能是可选的,不确定)创建一个仅包含您的集群 IP 和 CA 证书的自定义KUBECONFIG ,保存此文件,并使用它来连接到集群。

Step 2 looks like this:第 2 步如下所示:

cat > kubeconfig.yaml <<EOF
apiVersion: v1
kind: Config
current-context: cluster-1
contexts: [{name: cluster-1, context: {cluster: cluster-1, user: user-1}}]
users: [{name: user-1, user: {auth-provider: {name: gcp}}}]
clusters:
- name: cluster-1
  cluster:
    server: "https://$(eval "$GET_CMD --format='value(endpoint)'")"
    certificate-authority-data: "$(eval "$GET_CMD --format='value(masterAuth.clusterCaCertificate)'")"
EOF

So with this, you should do所以有了这个,你应该做

export GOOGLE_APPLICATION_CREDENTIALS=<path-to-key.json>
export KUBECONFIG=kubeconfig.yaml
kubectl get nodes

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在Kubectl中使用GKE服务帐户凭据 - Using GKE service account credentials with kubectl 将IAM服务帐户与Google / cloud-sdk官方图片一起使用 - Use an IAM service account with official google/cloud-sdk image 使用 Google IAM 进行 GKE 服务网络访问 - Using Google IAM for GKE service web access 如何配置 kubectl 充当服务帐户? - How to configure kubectl to act as a service account? 将 service_account.json 添加到 kubectl secrets - Add a service_account.json to kubectl secrets “永久”GKE kubectl服务帐户身份验证 - “permanent” GKE kubectl service account authentication Vault 服务帐户是否应使用默认服务帐户 API 令牌向 Kube.netes 进行身份验证? - Should the Vault Service Account Be Using the Default Service Account API Token to Authenticate to Kubernetes? 如何使用 kubectl run 命令创建使用非默认服务帐户的 Pod? - How to create a Pod that uses non default service account using kubectl run command? kitectl在gitlab-runner环境中使用服务帐户令牌时未经授权 - kubectl unauthorized when using service account token inside gitlab-runner environment Kubernetes 服务账户和 AWS IAM 角色的秘密 - Kubernetes Service Account and AWS IAM Role for Secrets
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM