在Kubectl中使用GKE服务帐户凭据 [英] Using GKE service account credentials with kubectl
问题描述
我正在尝试从CI系统中调用kubectl.我希望使用Google云服务帐户进行身份验证.我有一个秘密管理系统,可以将秘密注入我的CI系统中.
但是,我的CI系统没有安装gcloud,我也不想安装它.它仅包含kubectl.有什么方法可以直接在kubectl中使用包含gcloud服务帐户(而非kubernetes服务帐户)的certificate.json文件?
跳过gcloud CLI的最简单方法是使用ClusterRole
或Role
"rel =" noreferrer> ClusterRoleBinding
或RoleBinding
.
然后从命令行:
$ kubectl --token <token-from-your-service-account> get pods
在~/.kube/config
中您仍然需要context
:
- context:
cluster: kubernetes
name: kubernetes-token
否则,您将必须使用:
$ kubectl --insecure-skip-tls-verify --token <token-from-your-service-account> -s https://<address-of-your-kube-api-server>:6443 get pods
请注意,如果您不希望令牌显示在日志中,则可以执行以下操作:
$ kubectl --token $(cat /path/to/a/file/where/the/token/is/stored) get pods
此外,请注意,这不会阻止您在kubectl
进程的生命周期内在盒子上运行ps -Af
并从那里抓取令牌(旋转令牌是一个好主意)>
您可以使用 --token-auth-file=/path/to/a/file/where/the/token/is/stored
与kubectl
一起使用,以避免将其通过$(cat /path/to/a/file/where/the/token/is/stored)
I am trying to invoke kubectl from within my CI system. I wish to use a google cloud service account for authentication. I have a secret management system in place that injects secrets into my CI system.
However, my CI system does not have gcloud installed, and I do not wish to install that. It only contains kubectl. Is there any way that I can use a credentials.json file containing a gcloud service account (not a kubernetes service account) directly with kubectl?
The easiest way to skip the gcloud CLI is to probably use the --token
option. You can get a token with RBAC by creating a service account and tying it to a ClusterRole
or Role
with either a ClusterRoleBinding
or RoleBinding
.
Then from the command line:
$ kubectl --token <token-from-your-service-account> get pods
You still will need a context
in your ~/.kube/config
:
- context:
cluster: kubernetes
name: kubernetes-token
Otherwise, you will have to use:
$ kubectl --insecure-skip-tls-verify --token <token-from-your-service-account> -s https://<address-of-your-kube-api-server>:6443 get pods
Note that if you don't want the token to show up on the logs you can do something like this:
$ kubectl --token $(cat /path/to/a/file/where/the/token/is/stored) get pods
Also, note that this doesn't prevent you from someone running ps -Af
on your box and grabbing the token from there, for the lifetime of the kubectl
process (It's a good idea to rotate the tokens)
Edit:
You can use the --token-auth-file=/path/to/a/file/where/the/token/is/stored
with kubectl
to avoid passing it through $(cat /path/to/a/file/where/the/token/is/stored)
这篇关于在Kubectl中使用GKE服务帐户凭据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!