This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Is there a standalone binary version of gke-gcloud-auth-plugin (no gcloud->python dep)?

Posted on 01-19-2023 09:11 PM
traviswt
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Per this post https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke we have to use the gke-gcloud-auth-plugin going forward.

This approach looks great for kubectl interactions, but for k8s.io/client-go I am a bit confused by the proposed implementation. It appears that the gke-gcloud-auth-plugin is a wrapper around gcloud that is implemented in python.

This means that after adding the proper dependencies and abandoning my distroless image, which was 98MB, it is now 1.4GB, not distroless, and has many security issues when snyk scanned.

I would appreciate some guidance here and hope there is an actual standalone binary version of the gke-gcloud-auth-plugin. Does this exist?

Is there another approach that does not have this large dependency graph?

 

Solved Solved
0 5 4,703
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

Have a look at https://github.com/kubernetes/cloud-provider-gcp/tree/master/pkg/clientauthplugin .
Even though it won't continue to be supported, you can use it as a reference.

You might also want to have a look at https://gist.github.com/ahmetb/548059cdbf12fb571e4e2f1e29c48997 .
It's a pretty clean example of using the native GCP auth libs directly as well.

View solution in original post

Jump to Solution
5 REPLIES 5

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

Are you running this container within your GKE cluster itself?
If so, are you only connecting to the API server of the cluster in which you are running the image?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
traviswt
Bronze 2
Bronze 2
In response to garisingh
Reply posted on --/--/---- --:-- AM

This is outside of the cluster. We have automation applications that interact from a central location across GKE, EKS, and AKS. 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
garisingh
Staff
Reply posted on --/--/---- --:-- AM

Have a look at https://github.com/kubernetes/cloud-provider-gcp/tree/master/pkg/clientauthplugin .
Even though it won't continue to be supported, you can use it as a reference.

You might also want to have a look at https://gist.github.com/ahmetb/548059cdbf12fb571e4e2f1e29c48997 .
It's a pretty clean example of using the native GCP auth libs directly as well.

Jump to Solution

Posted on --/--/---- --:-- AM
traviswt
Bronze 2
Bronze 2
In response to garisingh
Reply posted on --/--/---- --:-- AM

So it seems there will not be a Google built and supported standalone binary as of now? Only the plugin->gcloud->python mechanism. All golang implementations will have to include python in their images to auth with GKE if outside of the cluster?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
traviswt
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I learned from the gist and created a drop-in replacement standalone binary; thanks for the insights and advice.

 https://github.com/traviswt/gke-auth-plugin

 

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all