Connect to GKE
GKE cluster authentication requires more than just a kubeconfig, it also needs a service account configured.
See ghcr.io/getporter/examples/gke for a full working example bundle.
-
Define credentials in porter.yaml for the kubeconfig and service account:
credentials: - name: kubeconfig path: /home/nonroot/.kube/config - name: google-service-account path: /home/nonroot/google-service-account.json
-
Define an environment variable,
GOOGLE_APPLICATION_CREDENTIALS
that contains the path to the service account file,/home/nonroot/google-service-account.json
.This can be accomplished via one of the methods below. The first method is recommended over using a parameter. Using parameters to define environment variables is a hack provided only for the purpose of this example.
-
Add the following line to your Custom Dockerfile:
ENV GOOGLE_APPLICATION_CREDENTIALS=/home/nonroot/google-service-account.json
-
Add a parameter to porter.yaml:
parameters: - name: google-app-creds env: GOOGLE_APPLICATION_CREDENTIALS default: /home/nonroot/google-service-account.json
-
Generate a kubeconfig
-
You must have
gcloud
installed locally, and be authenticated. -
Define the following environment variables:
CLUSTER="REPLACE_WITH_YOUR_CLUSTER_NAME" ZONE="REPLACE_WITH_YOUR_CLUSTER_ZONE" PROJECT="REPLACE_WITH_YOUR_GOOGLE_PROJECT" GET_CMD="gcloud container clusters describe $CLUSTER --zone=$ZONE --project=$PROJECT"
-
Run the following command to create a kubeconfig for your GKE cluster:
cat > kubeconfig.yaml <<EOF apiVersion: v1 kind: Config current-context: my-cluster contexts: [{name: my-cluster, context: {cluster: cluster-1, user: user-1}}] users: [{name: user-1, user: {auth-provider: {name: gcp}}}] clusters: - name: cluster-1 cluster: server: "https://$(eval "$GET_CMD --format='value(endpoint)'")" certificate-authority-data: "$(eval "$GET_CMD --format='value(masterAuth.clusterCaCertificate)'")" EOF
-
Move the kubeconfig.yaml to a location where you would like to keep it, for example
$HOME/.kube/my-gke-cluster.yaml
.
This file contains your master’s IP address and the cluster’s CA certificate but does not contain enough information to authenticate to the cluster.
Create a service account
- Create a service account.
- Assign the account access to GKE, such as Kubernetes Engine Developer.
- Create a service account key file, e.g. service-account.json, and save the file locally.
This is a sensitive file that contains enough information to perform actions against your Google account. Keep it safe. 🔐
A big thanks to https://ahmet.im/blog/authenticating-to-gke-without-gcloud/ for helping us figure out how to authenticate to GKE properly! 🙇♀️