Authenticating to GKE without gcloud

UPDATE(December 2023): This article no longer works as-is since “gcp” auth plugin is removed from kubectl builds. But you should be able to use the new “gke-gcloud-auth-plugin” tool by configuringexec command in your kubeconfig file.

If you’re using Google Kubernetes Engine and deploying to it from headless environments like CI/CD, you’re probably installing the gcloud command-line tool (perhaps every time) you run a build. There's a way to authenticate to the GKE clusters without gcloud command-line tool!

The solution is to use static kubeconfig files that we craft ahead of time. To do this, you will still need:

1. gcloud CLI (only on the development machine)
2. Google credentials to authenticate you(a.k.a. Service Account key).

Craft the static kubeconfig file

Set your cluster name and region/zone in a variable in a bash terminal:

GET_CMD="gcloud container clusters describe [CLUSTER] --zone=[ZONE]"

Running the following command block in bash will create a kubeconfig.yaml file by retrieving:

cat > kubeconfig.yaml <<EOF
apiVersion: v1
kind: Config
current-context: my-cluster
contexts: [{name: my-cluster, context: {cluster: cluster-1, user: user-1}}]
users: [{name: user-1, user: {auth-provider: {name: gcp}}}]
clusters:
- name: cluster-1
  cluster:
    server: "https://$(eval "$GET_CMD --format='value(endpoint)'")"
    certificate-authority-data: "$(eval "$GET_CMD --format='value(masterAuth.clusterCaCertificate)'")"
EOF

This kubeconfig.yaml file does not contain secrets such as your credentials. It only points kubectl to your cluster. You can actually safely check store this file in your git repository.

Note that you can actually rotate both this master IP address and CA certificate by triggering a manual rotation. If you do that, you need to re-generate this file. (This is the only downside to this approach.)

Create a service account for headless authentication

1. You will need to create a service account to authenticate to GKE from headless environments.
2. Give this service account the you need. (For example, “Kubernetes Engine Developer” role will let you deploy workloads to clusters.)
3. Then, create a key file (.json) for the service account (this file is asecret, do not check it in to your repositories).

Using the kubeconfig file

Now, you can go to an environment without gcloud, take this kubeconfig file and combine it with your Service Account key file and authenticate to your GKE clusters from headless environments by setting these environment variables:

export GOOGLE_APPLICATION_CREDENTIALS=service-account-key.json
export KUBECONFIG =kubeconfig.yaml
kubectl get nodes # You are authenticated if this works!

Setting GOOGLE_APPLICATION_CREDENTIALS to kubectl works just fine because the gcp auth plugin in kubectl uses the standard Google Cloud Go client libraries which recognize this environment variable.

Hopefully, this nice trick can speed up your build environments by not having to maintain steps to install and configure the gcloud CLI.

This is not the only way to authenticate to GKE clusters without gcloud. You can also use Kubernetes service accounts to authenticate as well, perhaps we can explore this in another article.

Originally published at https://ahmet.im on July 9, 2019.