2

Suppose I want to do operations on Kubernetes objects from a client-side web app. The app logs the user into Google using OAuth2 and obtains cloud-platform auth scope. Now the app can call Google Cloud APIs such as GKE APIs. The app can now enumerate the GKE clusters: https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters/list

What I do not understand is how to call Kubernetes APIs now. I need to connect to master, authenticate and use Kubernetes' REST APIs. So, I have the following questions:

  1. How do I connect to the master? How do I get the address?
  2. How do I authenticate with the master?

I've researched and I think I can get the master endpoint by calling the https://container.googleapis.com/v1/projects/XXX/locations/us-central1-a/clusters API and taking the endpoint attribute. The master authorization information seems to be in masterAuth. I need the token thought...

I've tried to connect to the master with the known-good token, but the browser's fetch function rejects my request with ERR_CERT_AUTHORITY_INVALID.

          // Error: net::ERR_CERT_AUTHORITY_INVALID
          const response = await fetch(
            "https://IP/api/v1/pods/",
            {
              headers: new Headers({
                "Authorization": "Bearer <token>",
                "Content-Type": "application/json; charset=utf-8"
              }),
            }
          );

I'm able to get the Certificate Authority information from the MasterAuth, but I do not know how to use it to make an HTTP GET call.

So, my most pressing part of the question is: Given the master endpoint API and MasterAuth (clusterCaCertificate and clientCertificate), how can I call the Kubernetes API from the browser.

Ark-kun
  • 6,358
  • 2
  • 34
  • 70
  • Can you provide a snippet of your fetch function on your post to have a better understanding of your scenario? Have you also seen this [documentation](https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication#authenticating_services)? https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication#authenticating_services – Alex G Aug 02 '21 at 22:23
  • I've added the `fetch` snipped, but it's pretty bland. The link you've given me is interesting although a bit irrelevant: The section is about connecting to the service inside the cluster while just connection to the cluster master is enough for me; The doc uses programs like `gcloud`, that are not client-side JS. There is this part however (see item 5): https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication#environments-without-gcloud They got `endpoint` plus `masterAuth.clusterCaCertificate` just like I do. Then they use `kubectl` which I do not have client-side. – Ark-kun Aug 03 '21 at 03:59
  • When going the shortest way - by connecting to the master I'm just one fetch away from success. But this path seems impossible: https://stackoverflow.com/questions/68614412/browser-make-an-https-get-request-to-api-that-uses-self-signed-certificate-pro/68614456 Maybe there are other paths... – Ark-kun Aug 03 '21 at 04:01
  • Your browser will need to explicitly trust the the certificate presented by the GKE master. Try pointing your browser directly at the master API endpoint. You should get the not trusted, etc warnings, but you should then be able to "trust" the cert (depending on which browser you use). But of course, anyone who access your webapp would have to trust the certificate as well. – Gari Singh Aug 03 '21 at 08:31

0 Answers0