If you’re using Google Kubernetes Engine and deploying to it from
headless environments like CI/CD, you’re probably installing the gcloud
command-line tool (perhaps every time) you run a build. There’s a way to
authenticate to GKE clusters without gcloud CLI!
The solution is to use static kubeconfig files that we craft
ahead of time. To do this, you will still need:
gcloudCLI (but only on the development machine, not on the headless environment)- Google credentials to authenticate you (a.k.a. Google Service Account key).
Craft the static kubeconfig file
Set your cluster name and region/zone in a variable in a bash terminal:
GET_CMD="gcloud container clusters describe [CLUSTER] --zone=[ZONE]"
Running the following command block in bash will create a kubeconfig.yaml file
by retrieving:
- cluster master’s IP address
- cluster’s CA certificate
cat > kubeconfig.yaml <<EOF
apiVersion: v1
kind: Config
current-context: my-cluster
contexts: [{name: my-cluster, context: {cluster: cluster-1, user: user-1}}]
users: [{name: user-1, user: {auth-provider: {name: gcp}}}]
clusters:
- name: cluster-1
cluster:
server: "https://$(eval "$GET_CMD --format='value(endpoint)'")"
certificate-authority-data: "$(eval "$GET_CMD --format='value(masterAuth.clusterCaCertificate)'")"
EOF
This kubeconfig.yaml file does not contain secrets such as your credentials.
It only points kubectl to your cluster. You can actually safely check store this
file in your git repository.
Note that you can actually rotate both this master IP address and CA certificate by triggering a manual rotation. If you do that, you need to re-generate this file. (This is the only downside to this approach.)
Create a service account for headless authentication
- You will need to create a service account to authenticate to GKE from headless environments.
- Give this service account the IAM roles you need. (For example, “Kubernetes Engine Developer” role will let you deploy workloads to clusters.)
- Then, create a key file (.json) for the service account (this file is a secret, do not check it in to your repositories).
Using the kubeconfig file
Now, you can go to an environment without gcloud, take this kubeconfig
file and combine it with your Service Account key file and authenticate to your
GKE clusters from headless environments by setting these environment variables:
export GOOGLE_APPLICATION_CREDENTIALS=service-account-key.json
export KUBECONFIG=kubeconfig.yaml
kubectl get nodes #← You are authenticated if this works!
Setting GOOGLE_APPLICATION_CREDENTIALS to kubectl works just fine because the
gcp auth plugin in kubectl uses the standard Google Cloud Go client libraries
which recognize this environment variable.
Hopefully, this nice trick can speed up your build environments by not having to
maintain steps to install and configure the gcloud CLI.
This is not the only way to authenticate to GKE clusters without gcloud. You
can also use Kubernetes service accounts to authenticate as well,
perhaps we can explore this in another article.