How to get access to GKE with service account key
Posted on December 15, 2021 • 1 minutes • 213 words
前言:
有一天,
我的同事詢問我:『如何設定 GKE Cluster Access for kubectl?!』
我回他:『你要在哪裡透過 kubectl 操作叢集。』
他回我:『專案委託他開發API 並容器化,透過 GTILAB PIPELINE 部署到GKE,但是他有上只有for Runner Server 用的 Cert key。』
我問他:『PIPELINE 的 deploy Job,是怎麼部署 service 的 deployment的!?』
他回我:『看不到 script 被藏起來了,但是他想在地端透過kubectl 來看 service running 狀態。』
我回他:『好!我幫你查查看,可以怎麼做』。
於是把過程記錄了下來。
- 首先我先拿到了 service account 的 key.
其內容大致長這樣。
cicd-sa@project-id.iam.gserviceaccount.com是他的 service account email.project-id是他的 service account 的 project id.
cat sa-cert.json
{
"type": "service_account",
"project_id": "project-id",
"private_key_id": "1234567889xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"private_key": "-----BEGIN PRIVATE KEY-----\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/+PoTGiGF3SEo8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+4htHvC\nsesOEKTP1sMZxEaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/7hO6K/VRyT1t8TwOElhCVxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/IeVoYWsSp4FkDexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+\nnjq1yVuTGCFvCtGLi8NlVwDe7NUKrqSwjRNyA5F4Q44xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+oguUKxoWWaCsQKBgQDSlZC3w1fAreCd6r8F/ZHg76TbU0C88bFa\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+mV4da8mTSwytLTDc3Dtj5nHXgc2NOodcTY9AwSPldl\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/CVREwPsJJl3fNKcA5VD5rTl15SkE8k2NJl/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+lyf\nKOyexe9Hsa2IcTJQ5Yxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/iFmX1Wb\nuYeCYCd6VKU8u8oMvMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xaSZxLJwo\nne2fkDblz7P6m39mFnpsm7h8DDmzR5eHx5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+VPi\nd13z8qvxy4VerA8SVXLucrRk\n-----END PRIVATE KEY-----\n",
"client_email": "cicd-sa@project-id.iam.gserviceaccount.com",
"client_id": "00000000000000000000",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cicd-sa%40cgh-hc-ut.iam.gserviceaccount.com"
}
- 接著我透過
gcloud auth activate-service-account指定sa-cert.json來做 auth init,如果沒有出錯,這麼一來就設定成功了。
如果出現錯誤請檢查
sa-cert.json是否正確。 或是檢查local computer 的時間。
$ gcloud auth activate-service-account --key-file=sa-cert.json
# Activated service account credentials for cicd-sa@project-id.iam.gserviceaccount.com
- 你可以透過
gcloud auth list來確定是否設定成功。
$ gcloud auth list
Credentialed Accounts
ACTIVE ACCOUNT
your-account@mail.com
* cicd-sa@cgh-hc-ut.iam.gserviceaccount.com
To set the active account, run:
$ gcloud config set account ACCOUNT
Updates are available for some Cloud SDK components. To install them,
please run:
$ gcloud components update
- 接著我透過
gcloud container clusters get-credentials指定cluster-name來做 get access for kubectl 。
$ gcloud container clusters get-credentials GKE_CLUSTER_NAME --region GKE_CLUSTER_REGION --project PROJECT_ID
# Fetching cluster endpoint and auth data. <- 出現此畫面則設定成功了。
- 接著我透過
kubectl get pods查看 pod 狀態。
kubectl get pods
NAME READY STATUS RESTARTS AGE
app-1-7d5cdf64f-4dgbg 1/1 Running 0 10m
參考:
- https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl
- https://stackoverflow.com/questions/42379685/can-i-automate-google-cloud-sdk-gcloud-init-interactive-command
2021年12月15日 Neil Kuan