stackoom
  简体   繁体   中英

How to enable Client Certificate in Google Kubernetes Engine Cluster

 原文  2021-01-22 07:17:04       java/ kubernetes/ google-cloud-platform/ google-kubernetes-engine

Question

I am trying to retrieve cluster client certificate from GKE cluster to authenticate with Kubernetes Server API. I am using GKE API to retrieve cluster information but client certificate and client key is empty in the response. On further investigation, I found out that client certificate is disabled by-default in Google Kubernetes Engine in their latest version. Now, when I try to enable it from Cluster Settings, it says that

client certificate is immutable.

My question is that how I can enable client certificate for GKE cluster.

1 answers

solution1
 1 ACCPTED  2021-01-23 02:46:10

As per the gitlab Starting in 1.12, new clusters will not have a client certificate issued. You can manually enable (or disable) the issuance of the client certificate using the --[no-]issue-client-certificate flag. The clusters will have basic authentication and client certificate issuance disabled by default.

As per @Dawid you can create an cluster having Client certificate > Enable using the below command and after that modification is not possible on that cluster.

gcloud container clusters create YOUR-CLUSTER --machine-type=custom-2-12288 --issue-client-certificate --zone us-central1-a

As a workaround if you want to enable the client certificate on existing cluster, you can clone (DUPLICATE) the cluster using command line and --issue-client-certificate at the end of the command as follows:

gcloud beta container --project "xxxxxxxx" clusters create "high-mem-pool-clone-1" --zone "us-central1-f" --username "admin" --cluster-version "1.16.15-gke.6000" --release-channel "None" --machine-type "custom-2-12288" --image-type "COS" --disk-type "pd-standard" --disk-size "100" --metadata disable-legacy-endpoints=true --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" --num-nodes "3" --enable-stackdriver-kubernetes --no-enable-ip-alias --network "projects/xxxxxxx/global/networks/default" --subnetwork "projects/xxxxxxxx/regions/us-central1/subnetworks/default" --no-enable-master-authorized-networks --addons HorizontalPodAutoscaling,HttpLoadBalancing --enable-autoupgrade --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 --issue-client-certificate

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Redis cluster on Google Container Engine (GKE - Kubernetes) How to enable SSL with client certificate for Websphere MQ client? WildFly 9 enable client certificate authentication How to create a RESTful client on Google App Engine? How does Google App Engine manage sessions inside cluster? How do I enable session support in Google App Engine (Java)? I want to use fabric8 kubernetes client (java) inside a pod. How do I obtain the kubernetes client for the cluster it is deployed on? Java Client - Accessing Kubernetes cluster and MQ cluster over SSL How to Authenticate GKE Cluster on Kubernetes API Server using its Java client library java/Kubernetes in google container engine - unknownhostexception
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM