- 我有多个在GKE上运行的kubernetes集群(比如clusterA和clusterB)
- 我想在一个群集中运行的应用程序中从客户端访问这两个群集(例如,从在clusterA上运行的应用程序访问clusterB)
我一般会从客户端转到kubernetes集群进行身份验证,我看到我有两个选择:
I general for authenticating with kubernetes clusters from client-go I see that I have two options:
- InCluster配置
- 或来自kube配置文件
因此,很容易从clusterA访问clusterA,而不能从clusterA访问clusterB.
So it is easy to access clusterA from clusterA but not clusterB from clusterA.
我在这里有什么选择?看来我只是不能通过GOOGLE_APPLICATION_CREDENTIALS,希望client-go会照顾好自己.
What are my options here? It seems that I just cannot pass GOOGLE_APPLICATION_CREDENTIALS and hope that client-go will take care of itself.
所以我的想法:
- 创建一个专用的IAM服务帐户
- 通过执行gcloud container clusters get-credentials clusterA和gcloud container clusters get-credentials clusterB 为两个集群创建带有令牌的kube配置
- 通过clusterA上的BuildConfigFromFlags在client-go中使用该kube配置文件
- create a dedicated IAM service account
- create kube config with tokens for both clusters by doing gcloud container clusters get-credentials clusterA and gcloud container clusters get-credentials clusterB
- use that kube config file in client-go via BuildConfigFromFlags on clusterA
这是正确的方法,还是有更简单的方法?我看到令牌有到期日期吗?
Is this the correct approach, or is there a simpler way? I see that tokens have an expiration date?
更新:
似乎我也可以使用CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud beta container clusters get-credentials clusterB --zone.这将证书添加到我可以使用的kube conf中.但是AFAIK不能撤消那些证书
It seems I can also use CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud beta container clusters get-credentials clusterB --zone. Which would add certificates to kube conf which I could use. But AFAIK those certificates cannot be revoked
推荐答案client-go需要了解以下信息:
client-go needs to know about:
(如果您使用的是GKE,则可以在$HOME/.kube/config中看到这些信息,该信息由gcloud container clusters get-credentials命令填充).
(If you're using GKE, you can see these info in $HOME/.kube/config, populated by gcloud container clusters get-credentials command).
我建议您之一:
一旦您可以在client-go中创建*rest.Config对象,client-go将使用kubeconfig文件(或其构造的内存等效文件)中指定的auth插件.在gcp身份验证插件中,它知道如何检索令牌.
Once you can create a *rest.Config object in client-go, client-go will use the auth plugin that's specified in the kubeconfig file (or its in-memory equivalent you constructed). In gcp auth plugin, it knows how to retrieve a token.
然后创建一个Cloud IAM服务帐户并提供它起容器开发人员"的作用.下载其密钥.
Then, Create a Cloud IAM Service Account and give it "Container Developer" role. Download its key.
现在,您有两个选择:
gcloud auth activate-service-account --key-file=key.json KUBECONFIG=a.yaml gcloud container clusters get-credentials clusterA KUBECONFIG=b.yaml gcloud container clusters get-credentials clusterB然后在程序中创建2个不同的*rest.Client对象,一个是从a.yaml创建的,另一个是从b.yaml创建的.
Then create 2 different *rest.Client objects, one created from a.yaml, another from b.yaml in your program.
现在,您的程序将在每次令牌过期时(每1小时)依靠gcloud二进制文件检索令牌.
Now your program will rely on gcloud binary to retrieve token every time your token expires (every 1 hour).
希望这会有所帮助.
P.S.不要忘记在Go程序中按import _ "k8s.io/client-go/plugin/pkg/client/auth/gcp".这将加载gcp auth插件!
P.S. do not forget to import _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" in your Go program. This loads the gcp auth plugin!
更多推荐
通过客户端访问GKE集群之外的Kubernetes GKE集群?
发布评论