Get hard-coded credentials in GKE kubeconfig

Question

I am currently getting my kubeconfig files for my GKE clusters via

export KUBECONFIG=<config-path>
gcloud container clusters get-credentials cluster-name --region=region-name

Now I get the config files and I can use them.

However, for some applications it would be helpful to have hardcoded credentials and not those appearing here

...
users:
- name: user-name
  user:
    auth-provider:
      config:
        access-token: <access-token>
        cmd-args: config config-helper --format=json
        cmd-path: /Users/user-name/google-cloud-sdk/bin/gcloud
        expiry: "2022-08-13T18:27:44Z"
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp

Is there an elegant way to do it? Could also be via a service account or whatever, I am open to any thoughts. The only thing that matters to me is to have a kubeconfig file that I can share and everyone can make use of it, once the user has it in his hands.

When you say "for some applications", do you mean K8S applications or other GCP services? — Hussein Awala, Aug 14 '22 at 18:02
@HusseinAwala Well I mean a container running in a separate k8s cluster. — tobias, Aug 15 '22 at 17:56

score 1 · Answer 1 · answered Aug 14 '22 at 18:06

See Google's post kubectl auth changes in GKE v1.25 for changes to the way that KUBECONFIG files will authenticate to GKE clusters. Your KUBECONFIG uses the existing mechanism and you may want to consider migrating.

Google uses OAuth to authenticate to GKE Kubernetes clusters. By default, the config uses gcloud to obtain the currently auth'd user's access token (you can use a Service Account as well, see below).

The KUBECONFIG that you included in your question is how kubectl acquires the gcloud's (currently auth'd) user's access token using the config-helper. There's no better way to authenticate as a user if you want the benefits of using gcloud but you could duplicate this functionality outside of KUEBCONFIG.

See Authenticating to Kubernetes for a well-documented set of alternatives approaches. These include environments with|without gcloud, using Service Accounts and running on Google Cloud (where you can obtain Service Account access tokens easily using Google's Metadata service) and running off Google Cloud. Any of these alternatives may address your need.

Get hard-coded credentials in GKE kubeconfig

1 Answers1