How To Use GKE IAM in k8s client-go

0
votes

I am using k8s go client (https://github.com/kubernetes/client-go) to create jobs on GKE cluster (the code is running inside a pod). But I am having this error:

{
  "error": "2 UNKNOWN: jobs.batch is forbidden: User \"system:serviceaccount:default:default\" cannot create resource \"jobs\" in API group \"batch\" in the namespace \"default\""
}

Looks like I am using system:serviceaccount:default:default, but how can I use a GCP IAM account instead?

I have already set up GOOGLE_APPLICATION_CREDENTIALS following https://cloud.google.com/kubernetes-engine/docs/tutorials/authenticating-to-cloud-platform. But looks like it only works with GCP client not with k8s client

1
kubernetesgoogle-kubernetes-engineclient-go
At first glance it looks like your serviceaccount dont have permissions to create job. Did you create any RBAC ClusterRole and ClusterRoleBinding? Could you share your job YAML? What Kubernetes version are you using? Also you are using Google Kubernetes Engine or you are using Google Compute Engine and you created cluster using Minikube or Kubeadm? - PjoterS

1 Answers

0
votes

You probably want to use the gcpAuthProvider plugin when creating the auth client.