在Kubectl中使用GKE服务帐户凭据 [英] Using GKE service account credentials with kubectl

问题描述

我正在尝试从CI系统中调用kubectl.我希望使用Google云服务帐户进行身份验证.我有一个秘密管理系统，可以将秘密注入我的CI系统中.

但是，我的CI系统没有安装gcloud，我也不想安装它.它仅包含kubectl.有什么方法可以直接在kubectl中使用包含gcloud服务帐户(而非kubernetes服务帐户)的certificate.json文件?

解决方案

跳过gcloud CLI的最简单方法是使用ClusterRole或Role "rel =" noreferrer> ClusterRoleBinding或RoleBinding .

然后从命令行:

$ kubectl --token <token-from-your-service-account> get pods

在~/.kube/config中您仍然需要context:

- context:
    cluster: kubernetes
  name: kubernetes-token

否则，您将必须使用:

$ kubectl --insecure-skip-tls-verify --token <token-from-your-service-account> -s https://<address-of-your-kube-api-server>:6443 get pods

请注意，如果您不希望令牌显示在日志中，则可以执行以下操作:

$ kubectl --token $(cat /path/to/a/file/where/the/token/is/stored) get pods

此外，请注意，这不会阻止您在kubectl进程的生命周期内在盒子上运行ps -Af并从那里抓取令牌(旋转令牌是一个好主意)

您可以使用 --token-auth-file=/path/to/a/file/where/the/token/is/stored 与kubectl一起使用，以避免将其通过$(cat /path/to/a/file/where/the/token/is/stored)

I am trying to invoke kubectl from within my CI system. I wish to use a google cloud service account for authentication. I have a secret management system in place that injects secrets into my CI system.

However, my CI system does not have gcloud installed, and I do not wish to install that. It only contains kubectl. Is there any way that I can use a credentials.json file containing a gcloud service account (not a kubernetes service account) directly with kubectl?

解决方案

The easiest way to skip the gcloud CLI is to probably use the --token option. You can get a token with RBAC by creating a service account and tying it to a ClusterRole or Role with either a ClusterRoleBinding or RoleBinding.

Then from the command line:

$ kubectl --token <token-from-your-service-account> get pods

You still will need a context in your ~/.kube/config:

- context:
    cluster: kubernetes
  name: kubernetes-token

Otherwise, you will have to use:

$ kubectl --insecure-skip-tls-verify --token <token-from-your-service-account> -s https://<address-of-your-kube-api-server>:6443 get pods

Note that if you don't want the token to show up on the logs you can do something like this:

$ kubectl --token $(cat /path/to/a/file/where/the/token/is/stored) get pods

Also, note that this doesn't prevent you from someone running ps -Af on your box and grabbing the token from there, for the lifetime of the kubectl process (It's a good idea to rotate the tokens)

Edit:

You can use the --token-auth-file=/path/to/a/file/where/the/token/is/stored with kubectl to avoid passing it through $(cat /path/to/a/file/where/the/token/is/stored)

这篇关于在Kubectl中使用GKE服务帐户凭据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！