New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't add a GKE cluster #14
Comments
Hi and thanks for trying kubenav. Can you check your kubeconfig file if it uses the
I will also concentrate on the support of OIDC for GKE, EKS and AKS, because it's currently the most requested feature. Hopefully I get it into the next release, but I can't promise it. |
The thing is there's no |
my kubeconfig looks like this:
|
Hi and thanks for the example kubeconfig. As long as I'm working on OIDC support you can try the following two solutions. I couldn't test the first one, but the second one should definitely work. Solution 1: Use Bearer Token from OIDC Run curl -k -v -XGET -H "Authorization: Bearer <TOKEN>" -H "Accept: application/json;as=Table;v=v1beta1;g=meta.k8s.io, application/json" -H "User-Agent: kubectl/v1.17.1 (darwin/amd64) kubernetes/d224476" '<URL>/api/v1/namespaces?limit=500' If the authorization header includes a bearer token, you can use this token within kubenav. Solution 2: Service Account Run the following, which will create a namespace cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: Namespace
metadata:
name: kubenav
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubenav
namespace: kubenav
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubenav
namespace: kubenav
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubenav
namespace: kubenav
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubenav
subjects:
- kind: ServiceAccount
name: kubenav
namespace: kubenav
EOF Get the corresponding secret for the service account: kubectl get sa --namespace kubenav kubenav -o yaml
kubectl get secret kubenav-token-lsxc5 -o yaml Use the values from the |
Awesome thanks for such a detailed answer! |
Nice to hear and thanks for the feedback. |
Cannot add an EKS cluster either.
|
Hi @jicowan, thanks for the example kubeconfig file. I'm currently working on the integration of GKE and EKS, which hopefully gets into the next release. For now you can try the workaround via service account. |
Hi @ricoberger, would very much appreciate support for gke kubeconfigs out of the box. It seems the options in manual configuration will not work very well as they disable client certificates by default and recommend they stay disabled https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster. |
Short update from my side: I added support for GKE via OIDC (see #19). Currently only the approvement of the Google OAuth consent screen screen and extensive testing is missing. If I understand it correctly, the approvement can take some time, so I'll deal with EKS next. |
Update:
Thanks for your patience. |
Hi, I tried to follow your 2* point but, I produced sa and secret yaml but can you share the filled manual configuration in kubenav? I tried but it doesn't work. Thank's |
Hi @nixiam, sorry that I missed your question. Can you have a look at the following page please, to see which value must be used in which field https://docs.kubenav.io/mobile/manual/ Besides the certificate authority data and the token values, you just have to provide the server url in the manual configuration, then it should be working. If you have any further question please let me know. |
I can't add a GKE cluster. It doesn't allow to save the kubeconfig file (says it's invalid) and I can't add it manually, as GKE instructs kubeconfig to use gcloud command line tool to obtain login info.
There's a scope to access Google Cloud with OAuth2, though.
The text was updated successfully, but these errors were encountered: