英文:
Connect GKE cluster from DO cluster by using kubeconfig (not using gcloud)
问题
我在Digital Ocean上有一个集群。我的项目的API在DO上。我的镜像来自google/cloud-sdk:alpine,我还使用以下命令安装了gke-gcloud-auth-plugin:
gcloud components install gke-gcloud-auth-plugin
我在Google Kubernetes Engine上还有另一个集群。我想从我的在DO上的API上创建、列出、删除gke集群上的pod。我使用kubernetes go客户端。我将gke集群的kubeconfig文件提供给go客户端。但是当我尝试执行操作(比如列出pod)时,我收到以下错误:
cred.go:145] print credential failed with error: Failed to retrieve access token:: failure while executing gcloud, with args [config config-helper --format=json]: exit status 12023/04/04 07:28:21 code: get_pod_error, error: Get "https://..../api/v1/namespaces/default/pods/cloud-flow-80117068-9715-4374-b91b-799472d647be": getting credentials: exec: executable gke-gcloud-auth-plugin failed with exit code 1
我使用相同的方法在DO的另一个集群上创建或删除pod,并且成功工作。
简而言之,我想通过使用GKE的kubeconfig文件从DO集群连接到GKE集群。有没有遇到相同问题的人?
谢谢。
英文:
<br/>
I have a cluster on Digital Ocean. The API of my project is in DO. My image is from google/cloud-sdk:alpine and also I installed gke-gcloud-auth-plugin with the following command
gcloud components install gke-gcloud-auth-plugin
I have another cluster on Google Kubernetes Engine. I want to create, list, delete pods on gke cluster from my api which is in DO. I use kubernetes go client. I give the kubeconfig file of gke cluster to go client. But when I try to do an operation (like listing pods) I get the following error:
cred.go:145] print credential failed with error: Failed to retrieve access token:: failure while executing gcloud, with args [config config-helper --format=json]: exit status 12023/04/04 07:28:21 code: get_pod_error, error: Get "https://..../api/v1/namespaces/default/pods/cloud-flow-80117068-9715-4374-b91b-799472d647be": getting credentials: exec: executable gke-gcloud-auth-plugin failed with exit code 1
I used the same method to create or delete pods on another cluster in DO and worked successfuly.
Briefly I want to connect GKE cluster from DO cluster by using kubeconfig file of GKE
Is there anyone who encounter with the same problem?
Thanks..
答案1
得分: 2
最后我像下面这样解决了:
1:创建一个带有令牌和服务帐号的密钥。然后将它们关联起来。
2:创建一个集群角色(授予必要的权限)和集群角色绑定。将它们关联起来。
3:将服务帐号和集群角色绑定关联起来。
现在你可以使用令牌连接到 GKE 集群,而无需使用 gke-gcloud-auth-plugin。
如果我不使用令牌参数,输出结果如下:
但是,如果我使用令牌,它可以成功工作。
同时,使用令牌并打印 Pod 的 Go 代码如下:
package mainimport ("context""fmt""os"v1 "k8s.io/apimachinery/pkg/apis/meta/v1""k8s.io/client-go/kubernetes""k8s.io/client-go/tools/clientcmd")func main() {// kubeconfig 文件的路径kubeconfigPath := "/home/latif/.kube/config"// 从 kubeconfig 文件构建配置config, err := clientcmd.BuildConfigFromFlags("", kubeconfigPath)if err != nil {fmt.Printf("Error building config from kubeconfig: %v", err)os.Exit(1)}// 设置认证令牌config.BearerToken = "my_token"// 创建一个新的 Kubernetes 客户端clientset, err := kubernetes.NewForConfig(config)if err != nil {fmt.Printf("Error creating Kubernetes client: %v", err)os.Exit(1)}// 获取默认命名空间中的 Pod 列表pods, err := clientset.CoreV1().Pods("default").List(context.Background(), v1.ListOptions{})if err != nil {fmt.Printf("Error getting pods: %v", err)os.Exit(1)}// 打印每个 Pod 的名称for _, pod := range pods.Items {fmt.Println(pod.Name)}}
<details><summary>英文:</summary>Finally I solved like following:1: Create a secret with a token and service account. Then associate them.<br/>2: Create a clusterrole (give necessary permissions) and clusterrolebinding. Associate them. <br/>3: Associate the service account and clusterrolebinding.Now you can use the token to connect gke cluster without using gke-gcloud-auth-plugin. <br/>If I dont use the token argument, the output is: <br/>[![enter image description here][1]][1]But , if I use the token, it works successfully[![enter image description here][2]][2][1]: https://i.stack.imgur.com/v31lx.png[2]: https://i.stack.imgur.com/fYyfo.png<br/><br/>Also the go code that uses token and prints the pods is like following:package mainimport ("context""fmt""os"v1 "k8s.io/apimachinery/pkg/apis/meta/v1""k8s.io/client-go/kubernetes""k8s.io/client-go/tools/clientcmd")func main() {// Path to the kubeconfig filekubeconfigPath := "/home/latif/.kube/config"// Build the configuration from the kubeconfig fileconfig, err := clientcmd.BuildConfigFromFlags("", kubeconfigPath)if err != nil {fmt.Printf("Error building config from kubeconfig: %v", err)os.Exit(1)}// Set the authentication tokenconfig.BearerToken = "my_token"// Create a new Kubernetes clientclientset, err := kubernetes.NewForConfig(config)if err != nil {fmt.Printf("Error creating Kubernetes client: %v", err)os.Exit(1)}// Get the list of pods in the default namespacepods, err := clientset.CoreV1().Pods("default").List(context.Background(), v1.ListOptions{})if err != nil {fmt.Printf("Error getting pods: %v", err)os.Exit(1)}// Print the name of each podfor _, pod := range pods.Items {fmt.Println(pod.Name)}}</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论