kubectl oauth2 authentication with container engine fails

0
votes

I use the following commands in my deployment pipeline to set up kubectl for use with container engine

gcloud auth activate-service-account ***@***.iam.gserviceaccount.com --key-file /var/go/.gcloud/***.json
gcloud config set account ***@***.iam.gserviceaccount.com
gcloud config set project gcloud-projectx
gcloud container clusters get-credentials gke-cluster --zone europe-west1-c

Since a recent gcloud update when running kubectl version this fails with the following error

Client Version: version.Info{Major:"1", Minor:"3", GitVersion:"v1.3.4", GitCommit:"dd6b458ef8dbf24aff55795baa68f83383c9b3a9", GitTreeState:"clean", BuildDate:"2016-08-01T16:45:16Z", GoVersion:"go1.6.2", Compiler:"gc", Platform:"linux/amd64"}
error: You must be logged in to the server (the server has asked for the client to provide credentials)

With Google Cloud SDK 122.0.0 and kubectl-linux-x86_64 1.3.4, whereas Google Cloud SDK 119.0.0 and kubectl-linux-x86_64 1.2.5 outputs

Client Version: version.Info{Major:"1", Minor:"2", GitVersion:"v1.2.5", GitCommit:"25eb53b54e08877d3789455964b3e97bdd3f3bce", GitTreeState:"clean"}
Server Version: version.Info{Major:"1", Minor:"3", GitVersion:"v1.3.5", GitCommit:"b0deb2eb8f4037421077f77cb163dbb4c0a2a9f5", GitTreeState:"clean", BuildDate:"2016-08-11T20:21:58Z", GoVersion:"go1.6.2", Compiler:"gc", Platform:"linux/amd64"}

The gcloud and kubectl tooling has changed recently to use OAuth2 authentication instead of a client certificate, which causes the issue.

August 17, 2016

Kubernetes v1.3.5 is the default version for new clusters. gcloud changed the container/use_client_certificate property default value to false. This makes the gcloud container clusters create and gcloud container clusters get-credentials commands configure kubectl to use Google OAuth2 credentials by default instead of the legacy client certificate.

I can fix it on the newer version by reverting to client certificate authentication with these commands

gcloud config set container/use_client_certificate True
export CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True

My question is how can I get the OAuth2 authentication to work so I don't have to fall back to the client certificate authentication? I would have thought this would happen transparently and without errors.

2
kubernetesgoogle-kubernetes-engine

2 Answers

1
votes

Kubectl is configured to use Application Default Credentials to authenticate to the Kubernetes master. To specify the service account you want it to use, set GOOGLE_APPLICATION_CREDENTIALS to the location of your key file. So for you:

export GOOGLE_APPLICATION_CREDENTIALS=/var/go/.gcloud/***.json

Sorry it wasn't as transparent and frictionless as you (and we) hoped.

1
votes

As of last October 2016, you can use command gcloud container clusters get-credentials your-cluster-name to retrieve and set token from Google Cloud Platform.

To check whether the token is set for kubectl commands, issue command kubectl config view | grep access-token