Authenticate against GKE without installing gcloud

Oct 3, 2018 by Emanuele Calo

Introduction

In this post we’ll explain how to generate and use ~/.kube/config for Kubernetes clusters running on GKE without having to install Google Cloud Tools like gcloud. This can be impractical on machines that use automation (run CI/CD). Or perhaps you wish to keep your Kubernetes tooling independent of a specific cloud provider.

First, let’s go over the regular workflow of a GKE user:

Authenticating with GKE

If you are adopting Google’s Kubernetes Engine (aka, GKE) you will want to connect kubectl to your GKE-hosted Kubernetes cluster. Usually, this is accomplished by pressing “connect” button on GKE portal which then brings up something like the following instruction:

gke-connect-to-kubectl

We will copy & paste the shell command from above for better clarity:

$ gcloud container clusters get-credentials <cluster-name> --project <project-name>

Generates a ~/.kube/config file with the necessary credentials for kubectl to use. However, it also means that:

  1. You must have gcloud installed on your machine.
  2. You must be authenticated with Google’s cloud first.
  3. You have to have a web browser available, i.e. the authentication is interactive.

Below is the complete sequence of commands you’ll have to use to generate ~/.kube/config with the gcloud tool:

# This will open a web browser and you'll authenticate with your email, password
# and the second factor (which you of course should be using)
$ gcloud auth login

# And now generate the kubeconfig:
$ gcloud container clusters get-credentials my-cluster --zone us-central1-a --project my-project

# Check if it works:
$ kubectl get nodes

if you did everthing right, you should see the list of nodes in the cluster. Obviously this is not optimal for robots, CI/CD pipeline, etc.

Authenticating Without Google Cloud Tools

The setup above works quite well if you’re using it on a laptop which has a web browser installed and you are only using GKE Kubernetes clusters. However, many of our customers have expressed interest in using Kubernetes-native authentication which does not depend on Google’s proprietary tooling and does not require the user to interactively login via a web browser.

Fortunately, this is quite easy to do!

Here is what you need to do to non-interactively authenticate against GKE Kubernetes clusters without using the certificate authentication built into Kubernetes itself:

  1. First, obtain the GKE credentials using the workflow described above. You have to do this just once.
  2. Connect to the Kubernetes cluster and request a new certificate using the Kubernetes CSR API. We have a sample script. You can use as a starting point (or as-is).

The resulting kubeconfig can be placed on CI/CD machines and used in any kind of infrastructure automation which requires kubectl.

The certificate returned by the CSR API does not have an expiration date and will keep working forever. If you wish to automatically rotate these certificates, you can implement your own tooling around this, or use Teleport, our infrastructure gateway which provides unified access to both SSH and Kubernetes clusters.

Check out how our products can help your company: