0

Hi I'm running into issues trying to access my Kubernetes cluster hosted using Google container engine. I want to use the kubectl from an external/remote server (Circle CI) I have gcloud and kubectl installed and I can access my cluster insecurely using 

kubectl get pods --server="https://ENDPOINT_IP" --username="USERNAME" --password="PASSWORD" --insecure-skip-tls-verify=true

I want to be able to access it securely using the certificate provided in the 'show credentials' page at the gcloud container cluster overview. So i have created a ca.crt with this certificate string in and passed it via the --certificate-authority flag but i am getting an error:

error: couldn't read version from server: Get https://ENDPOINT_IP: x509: certificate signed by unknown authority

how can i get my certificate signed?

Many thanks, Andy

andrewpwarren
  • 1
  • 1

1 Answers1

2

If you have gcloud installed, you should be able to run gcloud container clusters get-credentials NAME which will grab the client credentials that allow kubectl to securely connect to your hosted apiserver. It will include the cluster's ca.crt (to authenticate the server endpoint) and a client certificate (used for authentication instead of the password). The credentials will be stored in a "kubeconfig" file (by default located in ~/.kube/config which is also the location that kubectl will try to load credentials from by default.

Robert Bailey
  • 599
  • 3
  • 6
  • thanks for the reply. I have authenticated using a service account (as its on a remote server) but I cant add the project id to gcloud config which needs to be set for `gcloud container clusters get-credentials NAME` to work. Do you know if this is a limitation with services account? I can successfully use it to push docker images to gcr. I was wondering if there is anyway of bypassing the gcloud auth by using the cluster CA cert supplied in show credentials for the kubernetes endpoint. What is this CA cert for? ` – andrewpwarren Dec 17 '15 at 17:40
  • What permissions does the service account have on your project? Have you tried running `gcloud auth login` on the remote server to get a local auth token? The cluster CA cert is used to authenticate that when you connect to the Kubernetes apiserver endpoint in your Container Engine cluster you have a secure connection. It isn't used when accessing the Container Engine API with gcloud. – Robert Bailey Dec 18 '15 at 04:42
  • When i run `gcloud auth login` I get a message stating the browser has to be opened to visit a url. This is not possible from the remote server. The service account I am using was manually created and has `can edit` permissions. It also has DwD enabled. – andrewpwarren Dec 18 '15 at 11:46
  • 1
    When you run `gcloud auth login` remotely, it should print out a link to a web URL that you can visit (on your own machine) and paste in the code that you get back after authenticating. – Robert Bailey Dec 18 '15 at 18:36