通过客户端访问GKE集群之外的Kubernetes GKE集群? [英] Access Kubernetes GKE cluster outside of GKE cluster with client-go?

问题描述

• 我有多个在GKE上运行的kubernetes集群(比如clusterA和clusterB)
• 我想在一个群集中运行的应用程序中从客户端访问这两个群集(例如，从在clusterA上运行的应用程序访问clusterB)

我一般会从客户端转到kubernetes集群进行身份验证，我看到我有两个选择:

I general for authenticating with kubernetes clusters from client-go I see that I have two options:

• InCluster配置
• 或来自kube配置文件

因此，很容易从clusterA访问clusterA，而不能从clusterA访问clusterB.

So it is easy to access clusterA from clusterA but not clusterB from clusterA.

我在这里有什么选择?看来我只是不能通过GOOGLE_APPLICATION_CREDENTIALS，希望client-go会照顾好自己.

What are my options here? It seems that I just cannot pass GOOGLE_APPLICATION_CREDENTIALS and hope that client-go will take care of itself.

所以我的想法:

• 创建一个专用的IAM服务帐户
• 通过执行gcloud container clusters get-credentials clusterA和gcloud container clusters get-credentials clusterB
为两个集群创建带有令牌的kube配置
• 通过clusterA上的BuildConfigFromFlags在client-go中使用该kube配置文件

• create a dedicated IAM service account
• create kube config with tokens for both clusters by doing gcloud container clusters get-credentials clusterA and gcloud container clusters get-credentials clusterB
• use that kube config file in client-go via BuildConfigFromFlags on clusterA

这是正确的方法，还是有更简单的方法?我看到令牌有到期日期吗?

Is this the correct approach, or is there a simpler way? I see that tokens have an expiration date?

更新:

似乎我也可以使用CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud beta container clusters get-credentials clusterB --zone.这将证书添加到我可以使用的kube conf中.但是AFAIK不能撤消那些证书

It seems I can also use CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud beta container clusters get-credentials clusterB --zone. Which would add certificates to kube conf which I could use. But AFAIK those certificates cannot be revoked

推荐答案

client-go需要了解以下信息:

client-go needs to know about:

1. 集群主机的IP地址
2. 集群的CA证书

(如果您使用的是GKE，则可以在$HOME/.kube/config中看到这些信息，该信息由gcloud container clusters get-credentials命令填充).

(If you're using GKE, you can see these info in $HOME/.kube/config, populated by gcloud container clusters get-credentials command).

我建议您之一:

1. 具有一个kubeconfig文件，其中包含有关群集A&的这些信息. B
2. 使用GKE API检索有关群集A&的这些信息. B(此处的示例))(您将需要一个服务帐户来执行此操作，如下所述. )

1. Have a kubeconfig file that contains these info for clusters A & B
2. Use GKE API to retrieve these info for clusters A & B (example here) (You'll need a service account to do this, explained below.)

一旦您可以在client-go中创建*rest.Config对象，client-go将使用kubeconfig文件(或其构造的内存等效文件)中指定的auth插件.在gcp身份验证插件中，它知道如何检索令牌.

Once you can create a *rest.Config object in client-go, client-go will use the auth plugin that's specified in the kubeconfig file (or its in-memory equivalent you constructed). In gcp auth plugin, it knows how to retrieve a token.

然后创建一个Cloud IAM服务帐户并提供它起容器开发人员"的作用.下载其密钥.

Then, Create a Cloud IAM Service Account and give it "Container Developer" role. Download its key.

现在，您有两个选择:

gcloud auth activate-service-account --key-file=key.json
KUBECONFIG=a.yaml gcloud container clusters get-credentials clusterA
KUBECONFIG=b.yaml gcloud container clusters get-credentials clusterB

然后在程序中创建2个不同的*rest.Client对象，一个是从a.yaml创建的，另一个是从b.yaml创建的.

Then create 2 different *rest.Client objects, one created from a.yaml, another from b.yaml in your program.

现在，您的程序将在每次令牌过期时(每1小时)依靠gcloud二进制文件检索令牌.

Now your program will rely on gcloud binary to retrieve token every time your token expires (every 1 hour).

1. 请勿将gcloud安装到您程序的环境中.
2. 将您的key.json设置为GOOGLE_APPLICATION_CREDENTIALS环境 您的程序的变量.
3. 找出获取群集IP/CA的方法(如上所述)，以便您可以 为群集A和A构造两个不同的*rest.Config对象. B.
4. 现在您的程序将使用指定的密钥文件来获取access_token 每次过期(每1小时)访问Google API.

1. Don't install gcloud to your program’s environment.
2. Set your key.json to GOOGLE_APPLICATION_CREDENTIALS environment variable for your program.
3. Figure out a way to get cluster IP/CA (explained above) so you can construct two different *rest.Config objects for cluster A & B.
4. Now your program will use the specified key file to get an access_token to Google API every time it expires (every 1h).

希望这会有所帮助.

P.S.不要忘记在Go程序中按import _ "k8s.io/client-go/plugin/pkg/client/auth/gcp".这将加载gcp auth插件！

P.S. do not forget to import _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" in your Go program. This loads the gcp auth plugin!

这篇关于通过客户端访问GKE集群之外的Kubernetes GKE集群?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！