Authenticate against GKE without installing gcloud

Introduction

In this post we’ll explain how to generate and use ~/.kube/config for Kubernetes clusters running on GKE without having to install Google Cloud Tools like gcloud. This can be impractical on machines that use automation (run CI/CD). Or perhaps you wish to keep your Kubernetes tooling independent of a specific cloud provider.

First, let’s go over the regular workflow of a GKE user:

Authenticating with GKE

If you are adopting Google’s Kubernetes Engine (aka, GKE) you will want to connect kubectl to your GKE-hosted Kubernetes cluster. Usually, this is accomplished by pressing “connect” button on GKE portal which then brings up something like the following instruction:

gke-connect-to-kubectl

We will copy & paste the shell command from above for better clarity:

$ gcloud container clusters get-credentials <cluster-name> --project <project-name>

Generates a ~/.kube/config file with the necessary credentials for kubectl to use. However, it also means that:

  1. You must have gcloud installed on your machine.
  2. You must be authenticated with Google’s cloud first.
  3. You have to have a web browser available, i.e. the authentication is interactive.

Below is the complete sequence of commands you’ll have to use to generate ~/.kube/config with the gcloud tool:

# This will open a web browser and you'll authenticate with your email, password
# and the second factor (which you of course should be using)
$ gcloud auth login

# And now generate the kubeconfig:
$ gcloud container clusters get-credentials my-cluster --zone us-central1-a --project my-project

# Check if it works:
$ kubectl get nodes

if you did everthing right, you should see the list of nodes in the cluster. Obviously this is not optimal for robots, CI/CD pipeline, etc.

Authenticating Without Google Cloud Tools

The setup above works quite well if you’re using it on a laptop which has a web browser installed and you are only using GKE Kubernetes clusters. However, many of our customers have expressed interest in using Kubernetes-native authentication which does not depend on Google’s proprietary tooling and does not require the user to interactively login via a web browser.

Fortunately, this is quite easy to do!

Here is what you need to do to non-interactively authenticate against GKE Kubernetes clusters without using the certificate authentication built into Kubernetes itself:

  1. First, obtain the GKE credentials using the workflow described above. You have to do this just once.
  2. Connect to the Kubernetes cluster and request a new certificate using the Kubernetes CSR API. We have a sample script. You can use as a starting point (or as-is).

The resulting kubeconfig can be placed on CI/CD machines and used in any kind of infrastructure automation which requires kubectl.

The certificate returned by the CSR API does not have an expiration date and will keep working forever. If you wish to automatically rotate these certificates, you can implement your own tooling around this, or use Teleport, our infrastructure gateway which provides unified access to both SSH and Kubernetes clusters.

Update: we’ve been contacted via Twitter by a Google Engineer who has written a blog article for the very same scenario.

Instead of creating a new certificate, he uses a workstation where gcloud is present and creates a static kubeconfig which is then copied to the target system that will use it. You can find his article here.

kubernetes troubleshooting kubernetes

Want to stay informed?

Subscribe to our weekly newsletter for the latest articles, industry changes, and products updates.

Connect with Us

Troubleshooting Kubernetes Networking Issues By Sasha Klizhentas Kubernetes Production Patterns...and Anti-Patterns By Sasha Klizhentas Teleport becomes the universal gateway for SSH and Kubernetes with v3.0 By Ev Kontsevoy

Start Using Gravity Today

Deploy and remotely manage cloud-native applications on premises with Gravity.

Demo Gravity Download Gravity