Reputation: 6748
Get a kubectl client key and cert when using GKE
I am writing a Go binary that will run on my local machine. I wish to authenticate with the kubernetes API for a GKE cluster. How can I get a client key and certificate?
(Note that a kubernetes service account does not seem appropriate because my binary does not itself run on the cluster. And I do not want to have to install gcloud locally because I may want to distribute my binary to others, so I cannot use the gcloud auth helper flow.)
Upvotes: 3
Views: 2926
Answers (1)
Reputation: 61689
You can't get it from GKE because GCP doesn't expose the CA key for you to create client certificate/key pairs for you to authenticate with the cluster. That key lives in the Kubernetes master(s) and GKE doesn't give you direct access to them (They manage them). I recommend you use a token.
Check my other answer with more details. Basically, create a ServiceAccount and bind it to a Role or ClusterRole (RBAC). You can actually authenticate outside your cluster using a token tied to a ServiceAccount.
Upvotes: 3
Related Questions
- GKE throws invalid certificate when fetching logs
- How to use the Google Managed Certificate for GKE Kubernetes
- Generating a kubeconfig file and authenticating for google cloud
- How to Authenticate GKE Cluster on Kubernetes API Server using its Java client library
- How to enable Client Certificate in Google Kubernetes Engine Cluster
- Loading certificate to GKE service
- kubectl cannot connect GKE, failing with x509: certificate signed by unknown authority
- How to get ssl on a kubernetes application?
- Authenticating Kubernetes API(NodeJS) client using certificate not successful
- How to create new client certificates / tokens for programmatic access to the Kubernetes API hosted on GKE?