使用容器引擎的kubectl oauth2身份验证失败

使用容器引擎的kubectl oauth2身份验证失败

问题描述:

我在部署管道中使用以下命令来设置kubectl以与容器引擎一起使用

I use the following commands in my deployment pipeline to set up kubectl for use with container engine

gcloud auth activate-service-account ***@***.iam.gserviceaccount.com --key-file /var/go/.gcloud/***.json
gcloud config set account ***@***.iam.gserviceaccount.com
gcloud config set project gcloud-projectx
gcloud container clusters get-credentials gke-cluster --zone europe-west1-c

由于最近的gcloud更新在运行kubectl版本时失败,因此出现以下错误

Since a recent gcloud update when running kubectl version this fails with the following error

Client Version: version.Info{Major:"1", Minor:"3", GitVersion:"v1.3.4", GitCommit:"dd6b458ef8dbf24aff55795baa68f83383c9b3a9", GitTreeState:"clean", BuildDate:"2016-08-01T16:45:16Z", GoVersion:"go1.6.2", Compiler:"gc", Platform:"linux/amd64"}
error: You must be logged in to the server (the server has asked for the client to provide credentials)

使用Google Cloud SDK 122.0.0和kubectl-linux-x86_64 1.3.4,而使用Google Cloud SDK 119.0.0和kubectl-linux-x86_64 1.2.5输出

With Google Cloud SDK 122.0.0 and kubectl-linux-x86_64 1.3.4, whereas Google Cloud SDK 119.0.0 and kubectl-linux-x86_64 1.2.5 outputs

Client Version: version.Info{Major:"1", Minor:"2", GitVersion:"v1.2.5", GitCommit:"25eb53b54e08877d3789455964b3e97bdd3f3bce", GitTreeState:"clean"}
Server Version: version.Info{Major:"1", Minor:"3", GitVersion:"v1.3.5", GitCommit:"b0deb2eb8f4037421077f77cb163dbb4c0a2a9f5", GitTreeState:"clean", BuildDate:"2016-08-11T20:21:58Z", GoVersion:"go1.6.2", Compiler:"gc", Platform:"linux/amd64"}

gcloud和kubectl工具最近已更改为使用OAuth2身份验证而不是客户端证书,这会导致问题.

The gcloud and kubectl tooling has changed recently to use OAuth2 authentication instead of a client certificate, which causes the issue.

2016年8月17日

August 17, 2016

Kubernetes v1.3.5是新群集的默认版本. gcloud 将container/use_client_certificate属性的默认值更改为 错误的.这使得gcloud容器集群得以创建和gcloud 容器集群get-credentials命令将kubectl配置为使用 默认情况下,Google OAuth2凭据代替旧版客户端 证书.

Kubernetes v1.3.5 is the default version for new clusters. gcloud changed the container/use_client_certificate property default value to false. This makes the gcloud container clusters create and gcloud container clusters get-credentials commands configure kubectl to use Google OAuth2 credentials by default instead of the legacy client certificate.

我可以通过使用以下命令恢复为客户端证书身份验证,将其修复为较新的版本

I can fix it on the newer version by reverting to client certificate authentication with these commands

gcloud config set container/use_client_certificate True
export CLOUDSDK_CONTAINER_USE_CLIENT_CERTIFICATE=True

我的问题是我如何才能使OAuth2身份验证起作用,所以我不必回退到客户端证书身份验证?我本以为这会透明地发生并且没有错误.

My question is how can I get the OAuth2 authentication to work so I don't have to fall back to the client certificate authentication? I would have thought this would happen transparently and without errors.

Kubectl配置为使用

Kubectl is configured to use Application Default Credentials to authenticate to the Kubernetes master. To specify the service account you want it to use, set GOOGLE_APPLICATION_CREDENTIALS to the location of your key file. So for you:

export GOOGLE_APPLICATION_CREDENTIALS=/var/go/.gcloud/***.json

对不起,它并没有您(和我们)希望的那样透明和顺畅.

Sorry it wasn't as transparent and frictionless as you (and we) hoped.