简体   繁体   English

如何使用 JSON 服务帐户密钥在 GO 中获取 Kubernetes 客户端集?

[英]How can I get a Kubernetes clientset in GO using a JSON service account key?

I need to create a Kubernetes clientset using a token extracted from JSON service account key file.我需要使用从 JSON 服务帐户密钥文件中提取的令牌创建 Kubernetes 客户端集。

I explicitly provide this token inside the config, however it still looks for Google Application-Default credentials, and crashes because it cannot find them.我在配置中明确提供了这个令牌,但是它仍然在寻找 Google Application-Default 凭据,并且因为找不到它们而崩溃。

Below is my code:下面是我的代码:

package main

import (

    gke "google.golang.org/api/container/v1"
    _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"

const (
    projectID   = "my_project_id"
    clusterName = "my_cluster_name"
    scope       = "https://www.googleapis.com/auth/cloud-platform"

func main() {
    ctx := context.Background()

    // Read JSON key and extract the token
    data, err := ioutil.ReadFile("sa_key.json")
    if err != nil {
    creds, err := google.CredentialsFromJSON(ctx, data, scope)
    if err != nil {
    token, err := creds.TokenSource.Token()
    if err != nil {
    fmt.Println("token", token.AccessToken)

    // Create GKE client
    tokenSource := oauth2.StaticTokenSource(token)
    gkeClient, err := gke.NewService(ctx, option.WithTokenSource(tokenSource))
    if err != nil {

    // Create a dynamic kube config
    inMemKubeConfig, err := createInMemKubeConfig(ctx, gkeClient, token, projectID)
    if err != nil {

    // Use it to create a rest.Config
    config, err := clientcmd.NewNonInteractiveClientConfig(*inMemKubeConfig, clusterName, &clientcmd.ConfigOverrides{CurrentContext: clusterName}, nil).ClientConfig()
    if err != nil {

    // Create the clientset
    clientset, err := kubernetes.NewForConfig(config)
    if err != nil {
        panic(err) // this where the code crashes because it can't find the Google ADCs

    fmt.Printf("clientset %+v\n", clientset)

func createInMemKubeConfig(ctx context.Context, client *gke.Service, token *oauth2.Token, projectID string) (*api.Config, error) {
    k8sConf := api.Config{
        APIVersion: "v1",
        Kind:       "Config",
        Clusters:   map[string]*api.Cluster{},
        AuthInfos:  map[string]*api.AuthInfo{},
        Contexts:   map[string]*api.Context{},

    // List all clusters in project with id projectID across all zones ("-")
    resp, err := client.Projects.Zones.Clusters.List(projectID, "-").Context(ctx).Do()
    if err != nil {
        return nil, err

    for _, f := range resp.Clusters {
        name := fmt.Sprintf("gke_%s_%s_%s", projectID, f.Zone, f.Name) // My custom naming convention
        cert, err := base64.StdEncoding.DecodeString(f.MasterAuth.ClusterCaCertificate)
        if err != nil {
            return nil, err

        k8sConf.Clusters[name] = &api.Cluster{
            CertificateAuthorityData: cert,
            Server:                   "https://" + f.Endpoint,

        k8sConf.Contexts[name] = &api.Context{
            Cluster:  name,
            AuthInfo: name,

        k8sConf.AuthInfos[name] = &api.AuthInfo{
            Token: token.AccessToken,
            AuthProvider: &api.AuthProviderConfig{
                Name: "gcp",
                Config: map[string]string{
                    "scopes": scope,
    return &k8sConf, nil

and here is the error message:这是错误消息:

panic: cannot construct google default token source: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

You're using clusterName twice where you've specified that the Context name is gke_%s_%s_%s .您在指定上下文名称为gke_%s_%s_%s地方使用了clusterName两次。

You're Contexts are named gke_%s_%s_%s :你的上下文被命名为gke_%s_%s_%s

name := fmt.Sprintf("gke_%s_%s_%s", projectID, f.Zone, f.Name)

k8sConf.Contexts[name] = &api.Context{
  Cluster:  name,
  AuthInfo: name,

But, when you clientcmd.NewNonInteractiveConfig , you're using clusterName as the context parameter and then again as the CurrentContext override.但是,当您使用clientcmd.NewNonInteractiveConfig时,您使用clusterName作为context参数,然后再次作为CurrentContext覆盖。

  clusterName,                   // Incorrect should be `gke_%s_%s_%s`
    CurrentContext: clusterName, // Redudant and incorrect

You want to use the equivalent gke_%s_%s_%s name.您想使用等效的gke_%s_%s_%s名称。 Or, use the cluster name when you define the context name 's.或者,在定义上下文name时使用集群name

config, err := clientcmd.NewNonInteractiveClientConfig(
  "gke_%s_%s_%s", // You need to replace this with the Context name

Here's what worked for me.这对我有用。

It is based on thisgist and it's exactly what I was looking for.它基于这个要点,这正是我想要的。 It uses an oauth2.TokenSource object which can be fed with a variety of token types so it's quite flexible.它使用oauth2.TokenSource object 可以输入各种令牌类型,因此非常灵活。

It took me a long time to find this solution so I hope this helps somebody!我花了很长时间才找到这个解决方案,所以我希望这对某人有帮助!

package main

import (

    gke "google.golang.org/api/container/v1"

    metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    clientcmdapi "k8s.io/client-go/tools/clientcmd/api"

const (
    googleAuthPlugin = "gcp"
    projectID        = "my_project"
    clusterName      = "my_cluster"
    zone             = "my_cluster_zone"
    scope            = "https://www.googleapis.com/auth/cloud-platform"

type googleAuthProvider struct {
    tokenSource oauth2.TokenSource

// These funcitons are needed even if we don't utilize them
// So that googleAuthProvider is an rest.AuthProvider interface
func (g *googleAuthProvider) WrapTransport(rt http.RoundTripper) http.RoundTripper {
    return &oauth2.Transport{
        Base:   rt,
        Source: g.tokenSource,
func (g *googleAuthProvider) Login() error { return nil }

func main() {
    ctx := context.Background()

    // Extract a token from the JSON SA key
    data, err := ioutil.ReadFile("sa_key.json")
    if err != nil {
    creds, err := google.CredentialsFromJSON(ctx, data, scope)
    if err != nil {
    token, err := creds.TokenSource.Token()
    if err != nil {
    tokenSource := oauth2.StaticTokenSource(token)

    // Authenticate with the token
    // If it's nil use Google ADC
    if err := rest.RegisterAuthProviderPlugin(googleAuthPlugin,
        func(clusterAddress string, config map[string]string, persister rest.AuthProviderConfigPersister) (rest.AuthProvider, error) {
            var err error
            if tokenSource == nil {
                tokenSource, err = google.DefaultTokenSource(ctx, scope)
                if err != nil {
                    return nil, fmt.Errorf("failed to create google token source: %+v", err)
            return &googleAuthProvider{tokenSource: tokenSource}, nil
        }); err != nil {
        log.Fatalf("Failed to register %s auth plugin: %v", googleAuthPlugin, err)

    gkeClient, err := gke.NewService(ctx, option.WithTokenSource(tokenSource))
    if err != nil {

    clientset, err := getClientSet(ctx, gkeClient, projectID, org, env)
    if err != nil {

    // Demo to make sure it works
    pods, err := clientset.CoreV1().Pods("").List(ctx, metav1.ListOptions{})
    if err != nil {
    log.Printf("There are %d pods in the cluster", len(pods.Items))
    for _, pod := range pods.Items {

func getClientSet(ctx context.Context, client *gke.Service, projectID, name string) (*kubernetes.Clientset, error) {
    // Get cluster info
    cluster, err := client.Projects.Zones.Clusters.Get(projectID, zone, name).Context(ctx).Do()
    if err != nil {

    // Decode cluster CA certificate
    cert, err := base64.StdEncoding.DecodeString(cluster.MasterAuth.ClusterCaCertificate)
    if err != nil {
        return nil, err

    // Build a config using the cluster info
    config := &rest.Config{
        TLSClientConfig: rest.TLSClientConfig{
            CAData: cert,
        Host:         "https://" + cluster.Endpoint,
        AuthProvider: &clientcmdapi.AuthProviderConfig{Name: googleAuthPlugin},

    return kubernetes.NewForConfig(config)


声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何直接从 Go 中的 GCP 服务帐户 JSON 密钥文件创建 kube.netes.Clientset? - How can I create a kubernetes.Clientset directly from a GCP service account JSON key file in Go? 无法让 Google Cloud Platform 识别 JSON 服务帐户密钥文件。 错误:PyOpenSSL 不可用。 建议使用 JSON,但我使用的是 JSON 密钥 - Can't get Google Cloud Platform to recognize JSON service account key file. Error: PyOpenSSL is not available. Suggests JSON but I'm using a JSON key 使用 GKE 中的工作负载身份访问服务帐户密钥 json - Access Service Account key json using workload identity in GKE 如何使用服务帐户从 python 代码访问 GCP 云 function? - How I can get access to GCP cloud function from python code using service account? 如何使用 golang 的 kube.netes 服务帐户? - How to use kubernetes service account with golang? 安全服务帐户凭据 json 密钥 kotlin - Secure Service Account Credentials json key kotlin 如何安全地访问包含服务帐户凭据的 json 文件? - How can I securely access json file containing service account credentials? 如何下载服务帐号Json? - How to download a Service Account Json? 如何获取 GCP 服务帐户 SignedJWT,以便我可以调用接受 GCP 身份验证的第 3 方服务 - How to Get GCP Service Account SignedJWT so I can call a 3rd party service that accepts GCP auth GCP Kube.netes 不使用服务帐户来拉取 docker 个图像 - GCP Kubernetes not using service account for pulling docker images
粤ICP备18138465号  © 2020-2024 STACKOOM.COM