How to enable Client Certificate in Google Kubernetes Engine Cluster

1
votes

I am trying to retrieve cluster client certificate from GKE cluster to authenticate with Kubernetes Server API. I am using GKE API to retrieve cluster information but client certificate and client key is empty in the response. On further investigation, I found out that client certificate is disabled by-default in Google Kubernetes Engine in their latest version. Now, when I try to enable it from Cluster Settings, it says that

client certificate is immutable.

My question is that how I can enable client certificate for GKE cluster.

1
javakubernetesgoogle-cloud-platformgoogle-kubernetes-engine
Hello, I do believe that this setting is permanent in the cluster creation process (Create -> Secuity -> Issue a client certificate). You won't be able to change it afterwards. Have you considered the fact that this configuration is discouraged? - Dawid Kruk
Hi @DawidKruk, Thanks for taking your time to answer my question. Can you please point out that why this implementation is discouraged and what is the alternative of it in my use case. Thanks. - Jawad Tariq
Please take a look on this documentation: cloud.google.com/kubernetes-engine/docs/how-to/… regarding GKE authentication and why it's discouraged. - Dawid Kruk

1 Answers

1
votes

As per the gitlab Starting in 1.12, new clusters will not have a client certificate issued. You can manually enable (or disable) the issuance of the client certificate using the --[no-]issue-client-certificate flag. The clusters will have basic authentication and client certificate issuance disabled by default.

As per @Dawid you can create an cluster having Client certificate > Enable using the below command and after that modification is not possible on that cluster.

gcloud container clusters create YOUR-CLUSTER --machine-type=custom-2-12288 --issue-client-certificate --zone us-central1-a

As a workaround if you want to enable the client certificate on existing cluster, you can clone (DUPLICATE) the cluster using command line and --issue-client-certificate at the end of the command as follows:

gcloud beta container --project "xxxxxxxx" clusters create "high-mem-pool-clone-1" --zone "us-central1-f" --username "admin" --cluster-version "1.16.15-gke.6000" --release-channel "None" --machine-type "custom-2-12288" --image-type "COS" --disk-type "pd-standard" --disk-size "100" --metadata disable-legacy-endpoints=true --scopes "https://www.googleapis.com/auth/devstorage.read_only","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/monitoring","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management.readonly","https://www.googleapis.com/auth/trace.append" --num-nodes "3" --enable-stackdriver-kubernetes --no-enable-ip-alias --network "projects/xxxxxxx/global/networks/default" --subnetwork "projects/xxxxxxxx/regions/us-central1/subnetworks/default" --no-enable-master-authorized-networks --addons HorizontalPodAutoscaling,HttpLoadBalancing --enable-autoupgrade --enable-autorepair --max-surge-upgrade 1 --max-unavailable-upgrade 0 --issue-client-certificate