Connect to GKE

GKE cluster authentication requires more than just a kubeconfig, it also needs a service account configured.

See for a full working example bundle.

  1. Generate a kubeconfig.

  2. Create a service account.

  3. Define credentials in porter.yaml for the kubeconfig and service account:

      - name: kubeconfig
        path: /home/nonroot/.kube/config
      - name: google-service-account
        path: /home/nonroot/google-service-account.json
  4. Define an environment variable, GOOGLE_APPLICATION_CREDENTIALS that contains the path to the service account file, /home/nonroot/google-service-account.json.

    This can be accomplished via one of the methods below. The first method is recommended over using a parameter. Using parameters to define environment variables is a hack provided only for the purpose of this example.

    • Add the following line to your Custom Dockerfile:

      ENV GOOGLE_APPLICATION_CREDENTIALS=/home/nonroot/google-service-account.json
    • Add a parameter to porter.yaml:

        - name: google-app-creds
          default: /home/nonroot/google-service-account.json

Generate a kubeconfig

  1. You must have gcloud installed locally, and be authenticated.

  2. Define the following environment variables:

    GET_CMD="gcloud container clusters describe $CLUSTER --zone=$ZONE --project=$PROJECT"
  3. Run the following command to create a kubeconfig for your GKE cluster:

    cat > kubeconfig.yaml <<EOF
    apiVersion: v1
    kind: Config
    current-context: my-cluster
    contexts: [{name: my-cluster, context: {cluster: cluster-1, user: user-1}}]
    users: [{name: user-1, user: {auth-provider: {name: gcp}}}]
    - name: cluster-1
        server: "https://$(eval "$GET_CMD --format='value(endpoint)'")"
        certificate-authority-data: "$(eval "$GET_CMD --format='value(masterAuth.clusterCaCertificate)'")"
  4. Move the kubeconfig.yaml to a location where you would like to keep it, for example $HOME/.kube/my-gke-cluster.yaml.

This file contains your master’s IP address and the cluster’s CA certificate but does not contain enough information to authenticate to the cluster.

Create a service account

  1. Create a service account.
  2. Assign the account access to GKE, such as Kubernetes Engine Developer.
  3. Create a service account key file, e.g. service-account.json, and save the file locally.

This is a sensitive file that contains enough information to perform actions against your Google account. Keep it safe. 🔐

A big thanks to for helping us figure out how to authenticate to GKE properly! 🙇‍♀️