Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Login to GKE via service account with token

Tags:

authorization

kubernetes

google-kubernetes-engine

I am trying to access my Kubernetes cluster on google cloud with the service account, but I am not able to make this works. I have a running system with some pods and ingress. I want to be able to update images of deployments.

I would like to use something like this (remotely): 

kubectl config set-cluster cluster --server="<IP>" --insecure-skip-tls-verify=true
kubectl config set-credentials foo --token="<TOKEN>"
kubectl config set-context my-context --cluster=cluster --user=foo --namespace=default
kubectl config use-context cluster
kubectl set image deployment/my-deployment boo=eu.gcr.io/project-123456/image:v1

So I created the service account and then get the secret token:

kubectl create serviceaccount foo
kubectl get secret foo-token-gqvgn -o yaml

But, when I try to update the image in any deployment, I receive:

error: You must be logged in to the server (Unauthorized)

IP address for API I use the address, which is shown in GKE administration as cluster endpoint IP. Any suggestions? Thanks.

like image 422
Chap Avatar asked Nov 08 '22 11:11

Chap

1 Answers

I have tried to recreate your problem.

Steps I have followed

  • kubectl create serviceaccount foo
  • kubectl get secret foo-token-* -o yaml

Then, I have tried to do what you have done

What I have used as token is base64 decoded Token.

Then I tried this:

$ kubectl get pods

Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:default:foo" cannot list pods in the namespace "default": Unknown user "system:serviceaccount:default:foo"

This gave me error as expected. Because, I need to grant permission to this ServiceAccount.

How can I grant permission to this ServiceAccount? I need to create ClusterRole & ClusterRoleBinding with necessary permission.

Read more to learn more role-based-access-control

I can do another thing

$ kubectl config set-credentials foo --username="admin" --password="$PASSWORD"

This will grant you admin authorization.

You need to provide cluster credential.

Username: admin
Password: -----

You will get this info in GKE -> Kubernetes Engine -> {cluster} -> Show credential

like image 197
Shahriar Avatar answered Nov 15 '22 08:11

Shahriar
Sign in to Comment

Related questions

Kubernetes Pod Creation Speed
How to configure kube-proxy master_url with multiple apiservers
Horizontal autoscaling of nodes (minions) in Kubernetes on OpenStack
Kubernetes getting started locally with docker
Kubernetes DNS fails in Kubernetes 1.2
Kubernetes: run persistent pods cassandra/mysql in Ubuntu servers
Kubernetes kubectl set image deployment not able to --record history?
GCE - No stackdriver memory metrics for nodes
Resize a gkePersistentDisk pod volume after gcloud compute disks resize
How does kubernetes select nodes to add to the load balancers on AWS?
Kubernetes persistent volumes with azureFile
Kubernetes PersistentVolumeClaim is not bound
Best practice of access restriction in staging on GKE
Kubernetes - How is high availability ensured if I deploy a containerised app?
Kubernetes: reserving subrange of service-cluster-ip-range for manual allocation
OpenShift and hostnetwork=true
How to log pod's outgoing HTTP requests in kubernetes?
kubernetes/kops: Default user and permissions
Kubernetes Namespaces stuck in Terminating status

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!