5

We have a system designed to manage a large number of Kubernetes clusters housed in external customer accounts simultaneously. This system currently works by having the kubeconfig stored in a database that is queried at runtime, and then passed into the golang kube-client constructor like so:

clientcmd.NewClientConfigFromBytes([]byte(kubeConfigFromDB))

For clusters using basic auth, this "just works".

For EKS clusters, this works as long as both the aws-iam-authenticator is installed on the machine that is running the golang code such that the kube-client can call out to it for authentication, and correct API_AWS_ACCESS_KEY_ID and API_AWS_SECRET_ACCESS_KEY are set within the kubeconfig's user.exec.env key.

For GKE clusters, it's not clear what the best practice way of achieving this is, and I have not been able to get it to work yet despite trying a handful of different operations detailed below. The standard practice for generating a kubeconfig for a GKE cluster is very similar to EKS (detailed here https://cloud.google.com/kubernetes-engine/docs/how-to/cluster-access-for-kubectl?authuser=1#generate_kubeconfig_entry) which uses gcloud config config-helper to generate the authentication credentials.

One idea is to use the GOOGLE_APPLICATION_CREDENTIALS environment variable, however the problem with this is that it is global and thus we cannot have our system simultaneously talk to many remote GKE clusters because each needs a unique set of google credentials to authenticate.

My second idea was to use the --impersonate-service-account flag provided to gcloud config config-helper, however it crashes when I run it with the following error:

$ gcloud config config-helper --format=json --impersonate-service-account=acct-with-gke-access@myorg.iam.gserviceaccount.com --project myproject
WARNING: This command is using service account impersonation. All API calls will be executed as [acct-with-gke-access@myorg.iam.gserviceaccount.com].
ERROR: gcloud crashed (AttributeError): 'unicode' object has no attribute 'utcnow'

My final idea is quite complicated. I would get the google-credentials-JSON and put it in the kubeconfig like so:

  user:
    auth-provider:
      config:
        credentials: "<google-credentials-JSON>"
      name: my-custom-forked-gcp

And I would create my own copy of https://github.com/kubernetes/client-go/blob/master/plugin/pkg/client/auth/gcp/gcp.go#L156 and replace line 156 

ts, err := google.DefaultTokenSource(context.Background(), scopes...)

with 

ts, err := tokenSourceFromJSON(context.Background(),  gcpConfig["credentials"], scopes...)

Where tokenSourceFromJSON is a new method that I add that looks like this:

func tokenSourceFromJSON(ctx context.Context, jsonData string, scopes ...string) (oauth2.TokenSource, error) {
  creds, err := google.CredentialsFromJSON(ctx, []byte(jsonData), scopes...)
  if err != nil {
    return nil, err
  }
  return creds.TokenSource, nil
}

This last idea will probably work (hopefully! I'm working on it now) but it seems like a very complicated solution to a simple problem: to provide the google-credentials-JSON at runtime to the golang kubernetes client to authenticate using those credentials. Is there an easier way?

Ben Sussman
  • 981
  • 8
  • 10
  • The idea of supplying credentials via GOOGLE_APPLICATION_CREDENTIALS environment variable, directly in kubernetes-client code works fine as @Rico mentioned, please check here an example with python client: https://stackoverflow.com/a/55747097/10347794 https://stackoverflow.com/a/55747097/10347794 – Nepomucen Apr 26 '19 at 08:12
  • 1
    Thanks @Nepomucen, but you must have missed in my question: "the problem with this is that it is global and thus we cannot have our system simultaneously talk to many remote GKE clusters". We use goroutines to have our go application parallelize much of these operations, and it's not a good tradeoff to break up our app into an independent go process for each distinct kubernetes cluster. – Ben Sussman Apr 26 '19 at 15:53

1 Answers1

2

One idea is to use the GOOGLE_APPLICATION_CREDENTIALS environment variable, however, the problem with this is that it is global and thus we cannot have our system simultaneously talk to many remote GKE clusters because each needs a unique set of Google credentials to authenticate.

You can override your env variable for the specific shell that is running your go program with something like:

os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", value)

My second idea was to use the --impersonate-service-account flag provided to gcloud config config-helper

Looks like a bug in the python code of the gcloud app. As described here utcnow is only applicable to datetime.datetime object. You could check if that module works in python shell in your system.

My final idea is quite complicated.

Seems like this would work as long as the value of credentials: "<google-credentials-JSON>" doesn't change between different sessions to the GCP API (The credentials value might have an expiration)

Note: PR for the final idea.

Rico
  • 58,485
  • 12
  • 111
  • 141
  • 1
    Setting the environment variable doesn't help me, as my go program is constantly interacting with many distinct Kubernentes clusters simultaneously. I will investigate the `utcnow` bug. Not sure what you mean by "change for different sessions", our go code will constantly maintain many connections to many distinct Kubernetes clusters simultaneously, but the GCP-IAM role with permission to each respective cluster won't change. If your answer is "yes, the complicated answer will work and there is no other better way", that is a huge bummer. I'm hoping there is a better way. – Ben Sussman Apr 26 '19 at 15:30
  • Added more details. For the session I updated the answer, I believe the value of the credentials might expire. – Rico Apr 26 '19 at 16:58
  • 2
    Thanks @Rico I made a PR for my "final idea" which I have tested and works! https://github.com/kubernetes/kubernetes/pull/77223 It allows users to specify a `service-acct` key when using the `auth-provider` `gcp`, that when specified expects the Service Account Credentials JSON and uses those to generate auth tokens. This can be used to solve the problem in this question: you can pass in different Service Account Credentals JSON for different kube-configs and simultaneously connect to many different kube clusters in the same golang process. – Ben Sussman Apr 29 '19 at 20:35
  • Sweet, that's great to hear! – Rico Apr 29 '19 at 20:51