[英]How to easily switch gcloud / kubectl credentials
At work we use Kube.netes hosted in GCP.在工作中,我们使用托管在 GCP 中的 Kube.netes。 I also have a side project hosted in my personal GCP account using Google App Engine (deploy using gcloud app deploy
).我还使用 Google App Engine 在我的个人GCP 帐户中托管了一个副项目(使用gcloud app deploy
)。
Often when I try to run a command such as kubectl logs -f service-name
, I get an error like "Error from server (Forbidden): pods is forbidden: User "my_personal_email@gmail.com" cannot list resource "pods" in API group "" in the namespace "WORK_NAMESPACE": Required "container.pods.list" permission."通常,当我尝试运行诸如kubectl logs -f service-name
类的命令时,我会收到类似“来自服务器的错误(禁止):pods 被禁止:用户“my_personal_email@gmail.com”无法列出资源“pods”的错误命名空间“WORK_NAMESPACE”中的 API 组“”:需要“container.pods.list”权限。” and then I have to fight with kubectl for hours trying to get it to work.然后我不得不与 kubectl 战斗数小时,试图让它工作。
Can somebody please break it down for a slow person like me, how gcloud
and kubectl
work together, and how I can easily switch accounts so I can use gcloud
commands for my personal projects and kubectl
commands for my work projects?有人可以为像我这样行动迟缓的人分解一下吗? gcloud
和kubectl
如何协同工作,以及我如何轻松切换帐户,以便我可以将gcloud
命令用于我的个人项目, kubectl
命令用于我的工作项目? I'm happy to nuke my whole config and start from scratch if that's what it takes.如果需要的话,我很乐意修改我的整个配置并从头开始。 I've found various kubectl
and gcloud
documentation but it doesn't make much sense or talks in circles.我找到了各种kubectl
和gcloud
文档,但它们没有多大意义或绕圈子。
Edit: this is on Linux.编辑:这是在 Linux 上。
Had the same problem and doing all of the:有同样的问题并做了所有的事情:
gcloud auth login
gcloud auth list
gcloud config set account
gcloud projects list
didn't help.没有帮助。 I knew gcloud
switched fine as I was able to list other resources with it directly.我知道gcloud
切换得很好,因为我可以直接用它列出其他资源。 But it seems kubectl
can't pick those changes up automatically, as kubectl/gcloud
integration relies on the pre-generated key, which has a 1h expiration(not sure if it's a default but it's what it is on my machine right now).但似乎kubectl
无法自动选择这些更改,因为kubectl/gcloud
集成依赖于预生成的密钥,该密钥有 1 小时的过期时间(不确定它是否是默认值,但它现在在我的机器上)。 So, on top of setting right user/project/account with gcloud
, you should re-generate the creds:因此,除了使用gcloud
设置正确的用户/项目/帐户之外,您还应该重新生成凭据:
gcloud container clusters get-credentials <my-cluster> --zone <clusters-zone>
I'm in the same boat as you - apps deployed in GKE for work and personal projects deployed in my personal GCP account.我和你在同一条船上 - 部署在 GKE 中的应用程序用于部署在我的个人 GCP 帐户中的工作和个人项目。
gcloud
stores a list of logged in accounts that you can switch between to communicate with associated projects. gcloud
存储了一个登录帐户列表,您可以在这些帐户之间切换以与关联项目进行通信。 Take a look at these commands:看看这些命令:
gcloud auth login
gcloud auth list
gcloud config set account
gcloud projects list
To work with a specific project under one of your accounts you need to set that configuration via gcloud config set project PROJECT_ID
要在您的某个帐户下使用特定项目,您需要通过gcloud config set project PROJECT_ID
设置该配置
kubectl
has a list of "contexts" on your local machine in ~/.kube/config
. kubectl
在~/.kube/config
中的本地计算机上有一个“上下文”列表。 Your current context is the cluster you want to run commands against - similar to the active account/project in gcloud
.您当前的上下文是您要对其运行命令的集群 - 类似于gcloud
中的活动帐户/项目。
Unlike gcloud
these are cluster specific and store info on cluster endpoint, default namespaces, the current context, etc. You can have contexts from GCP, AWS, on-prem...anywhere you have a cluster.与gcloud
不同,它们是特定于集群的,并在集群端点、默认命名空间、当前上下文等上存储信息。您可以从 GCP、AWS、本地...任何您拥有集群的地方获取上下文。 We have different clusters for dev, qa, and prod (thus different contexts) and switch between them a ton.我们有用于 dev、qa 和 prod 的不同集群(因此有不同的上下文),并在它们之间大量切换。 Take a look at the [kubectx project][1] https://github.com/ahmetb/kubectx for an easier way to switch between contexts and namespaces.查看 [kubectx 项目][1] https://github.com/ahmetb/kubectx以更轻松地在上下文和命名空间之间切换。
kubectl
will use the keys from whatever GCP account you are logged in with against the cluster that is set as your current context. kubectl
将使用您登录的任何 GCP 帐户中的密钥来针对设置为当前上下文的集群。 ie, from your error above, if your active account for gcloud
is your personal but try to list pods from a cluster at work you will get an error.即,根据您上面的错误,如果您的gcloud
活动帐户是您的个人帐户,但尝试列出工作中集群中的 pod,您将收到错误消息。 You either need to set the active account/project for gcloud
to your work email or change the kubectl
context to a cluster that is hosted in your personal GCP account/project.您需要将gcloud
的活动帐户/项目设置为您的工作电子邮件,或者将kubectl
上下文更改为托管在您的个人 GCP 帐户/项目中的集群。
对我来说,更新 ~/.kube/config 并将到期日期设置为过去的日期可以修复它
Use gcloud config configurations
to manage your separate profiles with Google Cloud Platform.使用gcloud config configurations
通过 Google Cloud Platform 管理您的单独配置文件。
Add an explicit configuration
argument to the cmd-args
of your kubeconfig's user to prevent gcloud
from producing an access token for an unrelated profile.向 kubeconfig 用户的cmd-args
添加显式configuration
参数,以防止gcloud
为不相关的配置文件生成访问令牌。
users: - user: auth-provider: config: cmd-args: config --configuration=work config-helper --format=json
Can somebody please break it down for a slow person like me, how gcloud and kubectl work together, and how I can easily switch accounts so I can use gcloud commands for my personal projects and kubectl commands for my work projects?有人可以为像我这样行动迟缓的人分解一下吗?gcloud 和 kubectl 如何协同工作,以及我如何轻松切换帐户,以便我可以将 gcloud 命令用于我的个人项目,将 kubectl 命令用于我的工作项目?
Sure!当然! By following Google's suggested instructions that lead to running gcloud container clusters get-credentials...
when configuring a kube.netes cluster, you will end up with a section of your kubeconfig that contains information on what kubectl should do to acquire an access token when communicating with a cluster that is configured with a given user.按照 Google 建议的导致运行gcloud container clusters get-credentials...
的说明,在配置 kube.netes 集群时,您最终会得到 kubeconfig 的一部分,其中包含有关 kubectl 在以下情况下应该如何获取访问令牌的信息与配置给定用户的集群通信。 That will look something like this:这看起来像这样:
users:
- name: gke_project-name_cluster-zone_cluster-name
user:
auth-provider:
config:
access-token: &Redacted
cmd-args: config config-helper --format=json
cmd-path: /path/to/google-cloud-sdk/bin/gcloud
expiry: "2022-12-25T01:02:03Z"
expiry-key: '{.credential.token_expiry}'
token-key: '{.credential.access_token}'
name: gcp
Basically, this tells kubectl
to run gcloud config config-helper --format=json
when it needs a new token, and to parse the access_token using the json-path .credential.access_token
in the response from that command.基本上,这告诉kubectl
在需要新令牌时运行gcloud config config-helper --format=json
,并在该命令的响应中使用 json-path .credential.access_token
解析 access_token 。 This is the crux in understanding how kubectl
communicates with gcloud
.这是理解 kubectl 如何与kubectl
通信的gcloud
。
Like you, I use google cloud both personally and at work.和你一样,我在个人和工作中都使用谷歌云。 The issue is that this user configuration block does not take into account the fact that it shouldn't use the currently active gcloud account when generating a credential.问题在于此用户配置块没有考虑到在生成凭据时不应使用当前活动的 gcloud 帐户这一事实。 Even if you don't use kube.netes in either one of your two projects, extensions in vscode for example might try to run a kubectl command when you're working on something in a different project.即使您不在两个项目中的任何一个中使用 kube.netes,例如当您在不同项目中处理某些内容时,vscode 中的扩展也可能会尝试运行 kubectl 命令。 If this were to happen after your current token is expired, gcloud config config-helper
might get invoked to generate a token using a personal account.如果在您当前的令牌过期后发生这种情况,则可能会调用gcloud config config-helper
以使用个人帐户生成令牌。
To prevent this from happening, I suggest using gcloud config configuations
.为了防止这种情况发生,我建议使用gcloud config configuations
。 Configurations are global configuration profiles that you can quickly switch between.配置是全局配置文件,您可以在它们之间快速切换。 For example, I have two configurations that look like:例如,我有两个如下所示的配置:
> gcloud config configurations list
NAME IS_ACTIVE ACCOUNT PROJECT COMPUTE_DEFAULT_ZONE COMPUTE_DEFAULT_REGION
work False zev@work.email work-project us-west1-a us-west1
personal True zev@personal.email personal-project northamerica-northeast1-a northamerica-northeast1
With configurations you can alter your kubeconfig to specify which configuration to always use when creating an access token for a given kube.netes user by altering the kubeconfig user's auth-provider.config.cmd-args
to include one of your gcloud configurations.通过配置,您可以更改 kubeconfig 以指定在为给定 kube.netes 用户创建访问令牌时始终使用的配置,方法是更改 kubeconfig 用户的auth-provider.config.cmd-args
以包含您的 gcloud 配置之一。 With a value like config --configuration=work config-helper --format=json
, whenever kubectl needs a new access token, it will use the account from your work configuration regardless of which account is currently active with the gcloud
tool.使用类似config --configuration=work config-helper --format=json
的值,只要 kubectl 需要新的访问令牌,它就会使用您的工作配置中的帐户,而不管哪个帐户当前使用gcloud
工具处于活动状态。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.