Kubernetes authorization, only succesful after running hello-server

Question

I've been working on a python project with the goal to interact with Kubernetes. One of the problems I have run into is the authentication process. Similar to this question I get the error

google.auth.exceptions.DefaultCredentialsError: Could not automatically determine credentials. Please set GOOGLE_APPLICATION_CREDENTIALS or explicitly create credentials and re-run the application. For more information, please see https://cloud.google.com/docs/authentication/getting-started

I understand that this is probably due to the fact that I use pycharm. However, when I run it from the terminal, I get this error:

kubernetes.client.rest.ApiException: (403) Reason: Forbidden HTTP response headers: HTTPHeaderDict({'Audit-Id': 'XXXXXXXXXXX', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'XXXXXXXXXXXXXXXX', 'Content-Length': 'XXX'}) HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"deployments.extensions is forbidden: User \"XXXXXXXXXXXXXXXXXXX\" cannot create deployments.extensions in the namespace \"default\": Required \"container.deployments.create\" permission.","reason":"Forbidden","details":{"group":"extensions","kind":"deployments"},"code":403}

However, when I change my code from:

os.system(f"gcloud container clusters get-credentials {cluster_name} --zone {zone} --project {project}")

to

os.system(f"gcloud container clusters get-credentials {cluster_name} --zone {zone} --project {project}")
os.system("kubectl run hello-server --image gcr.io/google-samples/hello-app:1.0 --port 8080")
os.system("kubectl delete deployments hello-server")

I can authenticate and all other functionality is exactly as it should be. I don't understand why this is. I think it's probably an indication something is wrong and would like to fix it before continuing. Does anybody know what is happening here, and how to fix it?

Answer 1

From your error description I can see, that You are not having problem with authentication but authorization to Kubernetes. These are two different things.

The error message you posted should be interpreted in following way:
"You are not authorized to perform "create" action on "deployment" object."

The mechanism that blocks your user access to specific operation on cluster resources is called RBAC - role-based access control (RBAC), which is built in GKE, and generally enabled in Kubernetes 1.6 onwards.

How to solve your problem:

1. Grant your GCP user/GCP service account appropriate role.

The queasiest way is to use one of predefined Cloud AIM roles for Kubernetes clusters, e.g. "roles/ container.admin", which will be mapped automatically to ClusterRole (cluster-admin). Please keep in mind to apply "principle of least privilege", especially for production clusters.

2. If you created a GCP Service Account in step #1

   • download its key in JSON format

   • Provide authentication credentials to your application code by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS
     
     

   I'm setting it up directly inside my python app:

import os
os.environ["GOOGLE_APPLICATION_CREDENTIALS"]='gke-admin-svc-key.json'

From now on you should be able to interact with your cluster from outside, in context of GCP service account, which should be reflected in audit logs:

authenticationInfo: {
   principalEmail:  "<id_of_your_svc_account>"    
  }
  authorizationInfo: [
   0: {
    granted:  true     
    permission:  "io.k8s.core.v1.pods.list"     
    resource:  "core/v1/pods"     
   }
  ]

Answer 2

What about to use kubernetes client for python ?

https://github.com/kubernetes-client/python

Check this example for remote cluster access:

https://github.com/kubernetes-client/python/blob/master/examples/remote_cluster.py