Reputation: 355
How to enable Client Certificate in Google Kubernetes Engine Cluster
I am trying to retrieve cluster client certificate from GKE cluster to authenticate with Kubernetes Server API. I am using GKE API to retrieve cluster information but client certificate and client key is empty in the response. On further investigation, I found out that client certificate is disabled by-default in Google Kubernetes Engine in their latest version. Now, when I try to enable it from Cluster Settings, it says that
client certificate is immutable.
My question is that how I can enable client certificate for GKE cluster.
Upvotes: 4
Views: 1937
Answers (1)
Reputation: 1955
As per the gitlab Starting in 1.12, new clusters will not have a client certificate issued. You can manually enable (or disable) the issuance of the client certificate using the --[no-]issue-client-certificate flag. The clusters will have basic authentication and client certificate issuance disabled by default.
As per @Dawid you can create an cluster having Client certificate > Enable using the below command and after that modification is not possible on that cluster.
gcloud container clusters create YOUR-CLUSTER --machine-type=custom-2-12288 --issue-client-certificate --zone us-central1-a
As a workaround if you want to enable the client certificate on existing cluster, you can clone (DUPLICATE) the cluster using command line and --issue-client-certificate at the end of the command as follows:
gcloud beta container --project "xxxxxxxx" clusters create "high-mem-pool-clone-1" --zone "us-central1-f" --username "admin" --cluster-version "1.16.15-gke.6000" --release-channel "None" --machine-type "custom-2-12288" --image-type "COS" --disk-type "pd-standard" --disk-size "100" --metadata disable-legacy-endpoints=true --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" --num-nodes "3" --enable-stackdriver-kubernetes --no-enable-ip-alias --network "projects/xxxxxxx/global/networks/default" --subnetwork "projects/xxxxxxxx/regions/us-central1/subnetworks/default" --no-enable-master-authorized-networks --addons HorizontalPodAutoscaling,HttpLoadBalancing --enable-autoupgrade --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 --issue-client-certificate
Upvotes: 3
Related Questions
- How enable google managed certificate on Google Kubernetes?
- How to use the Google Managed Certificate for GKE Kubernetes
- Google Managed SSL Certificate use SSL v3
- Loading certificate to GKE service
- How to configure a SSL certificate to be used by Kubernetes with Google Cloud?
- Get a kubectl client key and cert when using GKE
- EV SSL Certificate in Kubernetes
- client certificate needed when configuring kubectl
- how to enable https tls on kubernetes GCE
- Authenticating Kubernetes API(NodeJS) client using certificate not successful