使用工作负载身份从 GKE cronjob 运行 kubectl 命令

Question

I'd like to run a kubectl command from within a cronjob pod, to change the min replicas on a HPA for a deployment at the same time every week, ie time based scaling. I've been playing around with using the official google-sdk image with gcloud and kubectl installed.

I know I need to authenticate to the GKE cluster before I can run commands to interact via kubectl, and I really wanted to steer away from mounting a service account key (via a secret) to the pod, as we already have workload identity enabled.

Normal gcloud commands work fine using this method eg gcloud compute instances list but when I run gcloud container clusters get-credentials.... it fails saying I need to run gcloud auth login - can't be done of course.

I've read this post , I don't really want to use cURL if I can avoid it, and also know that gcloud doesn't use GOOGLE_APPLICATION_CREDENTIALS ( this post )

Does anyone know of a way I can use workload identity and get this working?

Answer 1

我找到了一种获得身份验证的方法，在尝试从 cronjob pod 中运行 kubectl 命令之前，我必须使用以下命令：

gcloud --account <account-name>