问题描述
- 我有多个在GKE上运行的kubernetes集群(比如clusterA和clusterB)
- 我想在一个群集中运行的应用程序中从客户端访问这两个群集(例如,从在clusterA上运行的应用程序访问clusterB)
我一般会从客户端转到kubernetes集群进行身份验证,我看到我有两个选择:
I general for authenticating with kubernetes clusters from client-go I see that I have two options:
- InCluster配置
- 或来自kube配置文件
因此,很容易从clusterA访问clusterA,而不能从clusterA访问clusterB.
So it is easy to access clusterA from clusterA but not clusterB from clusterA.
我在这里有什么选择?看来我只是不能通过GOOGLE_APPLICATION_CREDENTIALS,希望client-go会照顾好自己.
What are my options here? It seems that I just cannot pass GOOGLE_APPLICATION_CREDENTIALS and hope that client-go will take care of itself.
所以我的想法:
- 创建一个专用的IAM服务帐户
- 通过执行
gcloud container clusters get-credentials clusterA和gcloud container clusters get-credentials clusterB为两个集群创建带有令牌的kube配置 - 通过clusterA上的
BuildConfigFromFlags在client-go中使用该kube配置文件
- create a dedicated IAM service account
- create kube config with tokens for both clusters by doing
gcloud container clusters get-credentials clusterAandgcloud container clusters get-credentials clusterB - use that kube config file in client-go via
BuildConfigFromFlagson clusterA
这是正确的方法,还是有更简单的方法?我看到令牌有到期日期吗?
Is this the correct approach, or is there a simpler way? I see that tokens have an expiration date?
更新:
似乎我也可以使用CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud beta container clusters get-credentials clusterB --zone.这将证书添加到我可以使用的kube conf中.但是AFAIK不能撤消那些证书
It seems I can also use CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True gcloud beta container clusters get-credentials clusterB --zone. Which would add certificates to kube conf which I could use. But AFAIK those certificates cannot be revoked
推荐答案
client-go需要了解以下信息:
client-go needs to know about:
- 集群主机的IP地址
- 集群的CA证书
(如果您使用的是GKE,则可以在$HOME/.kube/config中看到这些信息,该信息由gcloud container clusters get-credentials命令填充).
(If you're using GKE, you can see these info in $HOME/.kube/config, populated by gcloud container clusters get-credentials command).
我建议您之一:
- 具有一个kubeconfig文件,其中包含有关群集A&的这些信息. B
- 使用GKE API检索有关群集A&的这些信息. B(此处的示例))(您将需要一个服务帐户来执行此操作,如下所述. )
- Have a kubeconfig file that contains these info for clusters A & B
- Use GKE API to retrieve these info for clusters A & B (example here) (You'll need a service account to do this, explained below.)
一旦您可以在client-go中创建*rest.Config对象,client-go将使用kubeconfig文件(或其构造的内存等效文件)中指定的auth插件.在gcp身份验证插件中,它知道如何检索令牌.
Once you can create a *rest.Config object in client-go, client-go will use the auth plugin that's specified in the kubeconfig file (or its in-memory equivalent you constructed). In gcp auth plugin, it knows how to retrieve a token.
然后创建一个Cloud IAM服务帐户并提供它起容器开发人员"的作用.下载其密钥.
Then, Create a Cloud IAM Service Account and give it "Container Developer" role. Download its key.
现在,您有两个选择:
gcloud auth activate-service-account --key-file=key.json
KUBECONFIG=a.yaml gcloud container clusters get-credentials clusterA
KUBECONFIG=b.yaml gcloud container clusters get-credentials clusterB
然后在程序中创建2个不同的*rest.Client对象,一个是从a.yaml创建的,另一个是从b.yaml创建的.
Then create 2 different *rest.Client objects, one created from a.yaml, another from b.yaml in your program.
现在,您的程序将在每次令牌过期时(每1小时)依靠gcloud二进制文件检索令牌.
Now your program will rely on gcloud binary to retrieve token every time your token expires (every 1 hour).
- 请勿将gcloud安装到您程序的环境中.
- 将您的key.json设置为GOOGLE_APPLICATION_CREDENTIALS环境您的程序的变量.
- 找出获取群集IP/CA的方法(如上所述),以便您可以为群集A和A构造两个不同的
*rest.Config对象. B. - 现在您的程序将使用指定的密钥文件来获取access_token每次过期(每1小时)访问Google API.
- Don't install gcloud to your program’s environment.
- Set your key.json to GOOGLE_APPLICATION_CREDENTIALS environment variable for your program.
- Figure out a way to get cluster IP/CA (explained above) so you canconstruct two different
*rest.Configobjects for cluster A & B. - Now your program will use the specified key file to get an access_tokento Google API every time it expires (every 1h).
希望这会有所帮助.
P.S.不要忘记在Go程序中按import _ "k8s.io/client-go/plugin/pkg/client/auth/gcp".这将加载gcp auth插件!
P.S. do not forget to import _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" in your Go program. This loads the gcp auth plugin!
这篇关于通过客户端访问GKE集群之外的Kubernetes GKE集群?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!