Reputation: 9837
How to create new client certificates / tokens for programmatic access to the Kubernetes API hosted on GKE?
I am running a Kubernetes cluster hosted on GKE and would like to write an application (written in Go) that speaks to the Kubernetes API. My understanding is that I can either provide a client certificate, bearer token, or HTTP Basic Authentication in order to authenticate with the apiserver. I have already found the right spot to inject any of these into the Golang client library.
Unfortunately, the examples I ran across tend to reference to existing credentials stored in my personal kubeconfig file. This seems non-advisable from a security perspective and makes me believe that I should create a new client certificate / token / username-password pair in order to support easy revocation/removal of compromised accounts. However, I could not find a spot in the documentation actually describing how to go about this when running on managed Kubernetes in GKE. (There's this guide on creating new certificates explaining that the apiserver needs to get restarted with updated parameters eventually, something that to my understanding cannot be done in GKE.)
Are my security concerns for reusing my personal Kubernetes credentials in one (or potentially multiple) applications unjustified? If not, what's the right approach to generate a new set of credentials?
Thanks.
Upvotes: 3
Views: 1629
Answers (1)
Reputation: 5662
If your application is running inside the cluster, you can use Kubernetes Service Accounts to authenticate to the API server.
If this is outside of the cluster, things aren't as easy, and I suppose your concerns are justified. Right now, GKE does not allow additional custom identities beyond the one generated for your personal kubeconfig file.
Instead of using your credentials, you could grab a service account's token (inside a pod, read from /var/run/secrets/kubernetes.io/serviceaccount/token), and use that instead. It's a gross hack, and not a great general solution, but it might be slightly preferable to using your own personal credentials.
Upvotes: 2
Related Questions
- Mounting a certificate for using the GKE Kubernetes API
- Mounting a kubeconfig file using go-client auth method to a container
- How to set IAP (Identity Aware Proxy) authentication for back-end API service running on a GKE cluster
- How can I allow API access to a GKE K8S cluster without modifying the HTTP client
- TLS bootstrapping ,--token-auth-file, User "system:anonymous" cannot create certificatesigningrequests
- How to authenticate to multiple GKE Kubernetes clusters using dynamic and unique google credentials
- How do I relate GCP users to GKE Kubernetes users, for authentication and subsequent authorization?
- Unable to access Kubernetes cluster using the go client when CLOUDSDK_CONFIG is set
- How to create a Kubernetes client certificate signing request for Cockroachdb
- How do I entitle serviceAccounts via gcloud command-line for Kubernetes API access?