[英]Authenticate Kubectl using Google IAM service account
I have got a Google Cloud IAM service account key file (in json format) that contains below data.我有一个包含以下数据的 Google Cloud IAM 服务帐户密钥文件(json 格式)。
{
"type": "service_account",
"project_id": "****",
"private_key_id":"****",
"private_key": "-----BEGIN PRIVATE KEY----blah blah -----END PRIVATE KEY-----\n",
"client_email": "*****",
"client_id": "****",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth/v1/certs",
"client_x509_cert_url": "****"
}
I can use this service account to access kubernetes API server by passing this key file to kube API client libraries.通过将此密钥文件传递给 kube API 客户端库,我可以使用此服务帐户访问 kubernetes API 服务器。
But, I'm not finding any way to pass this service account to kubectl binary to have kubectl get authenticated to project for which this service account created for.但是,我没有找到任何方法将此服务帐户传递给 kubectl 二进制文件,以使 kubectl 获得为此服务帐户创建的项目的身份验证。
Is there any way that I can use to make Kubectl to use this service account file for authentication ?有什么方法可以让 Kubectl 使用此服务帐户文件进行身份验证?
This answer provides some guidance: Access Kubernetes GKE cluster outside of GKE cluster with client-go?此答案提供了一些指导: 使用 client-go 访问 GKE 集群之外的 Kubernetes GKE 集群? but it's not complete.
但它并不完整。
You need to do two things:你需要做两件事:
set GOOGLE_APPLICATION_CREDENTIALS
environment variable to path to your JSON key file for the IAM service account, and use kubectl
while this variable is set, you should be authenticated with the token.将
GOOGLE_APPLICATION_CREDENTIALS
环境变量设置为 IAM 服务帐户的 JSON 密钥文件的路径,并在设置此变量时使用kubectl
,您应该使用令牌进行身份验证。
(this may be optional, not sure) Create a custom KUBECONFIG
that only contains your cluster IP and CA certificate, save this file, and use it to connect to the cluster. (这可能是可选的,不确定)创建一个仅包含您的集群 IP 和 CA 证书的自定义
KUBECONFIG
,保存此文件,并使用它来连接到集群。
Step 2 looks like this:第 2 步如下所示:
cat > kubeconfig.yaml <<EOF
apiVersion: v1
kind: Config
current-context: cluster-1
contexts: [{name: cluster-1, context: {cluster: cluster-1, user: user-1}}]
users: [{name: user-1, user: {auth-provider: {name: gcp}}}]
clusters:
- name: cluster-1
cluster:
server: "https://$(eval "$GET_CMD --format='value(endpoint)'")"
certificate-authority-data: "$(eval "$GET_CMD --format='value(masterAuth.clusterCaCertificate)'")"
EOF
So with this, you should do所以有了这个,你应该做
export GOOGLE_APPLICATION_CREDENTIALS=<path-to-key.json>
export KUBECONFIG=kubeconfig.yaml
kubectl get nodes
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.