If you’re using Google Kubernetes Engine and deploying to it from headless environments like CI/CD, you’re probably installing the gcloud command-line tool (perhaps every time) you run a build. There’s a way to authenticate to GKE clusters without gcloud CLI!

The solution is to use static kubeconfig files that we craft ahead of time. To do this, you will still need:

  1. gcloud CLI (but only on the development machine, not on the headless environment)
  2. Google credentials to authenticate you (a.k.a. Google Service Account key).

Craft the static kubeconfig file

Set your cluster name and region/zone in a variable in a bash terminal:

GET_CMD="gcloud container clusters describe [CLUSTER] --zone=[ZONE]"

Running the following command block in bash will create a kubeconfig.yaml file by retrieving:

  1. cluster master’s IP address
  2. cluster’s CA certificate
cat > kubeconfig.yaml <<EOF
apiVersion: v1
kind: Config
current-context: my-cluster
contexts: [{name: my-cluster, context: {cluster: cluster-1, user: user-1}}]
users: [{name: user-1, user: {auth-provider: {name: gcp}}}]
- name: cluster-1
    server: "https://$(eval "$GET_CMD --format='value(endpoint)'")"
    certificate-authority-data: "$(eval "$GET_CMD --format='value(masterAuth.clusterCaCertificate)'")"

This kubeconfig.yaml file does not contain secrets such as your credentials. It only points kubectl to your cluster. You can actually safely check store this file in your git repository.

Note that you can actually rotate both this master IP address and CA certificate by triggering a manual rotation. If you do that, you need to re-generate this file. (This is the only downside to this approach.)

Create a service account for headless authentication

  1. You will need to create a service account to authenticate to GKE from headless environments.
  2. Give this service account the IAM roles you need. (For example, “Kubernetes Engine Developer” role will let you deploy workloads to clusters.)
  3. Then, create a key file (.json) for the service account (this file is a secret, do not check it in to your repositories).

Using the kubeconfig file

Now, you can go to an environment without gcloud, take this kubeconfig file and combine it with your Service Account key file and authenticate to your GKE clusters from headless environments by setting these environment variables:

export GOOGLE_APPLICATION_CREDENTIALS=service-account-key.json
export KUBECONFIG=kubeconfig.yaml

kubectl get nodes #← You are authenticated if this works!

Setting GOOGLE_APPLICATION_CREDENTIALS to kubectl works just fine because the gcp auth plugin in kubectl uses the standard Google Cloud Go client libraries which recognize this environment variable.

Hopefully, this nice trick can speed up your build environments by not having to maintain steps to install and configure the gcloud CLI.

This is not the only way to authenticate to GKE clusters without gcloud. You can also use Kubernetes service accounts to authenticate as well, perhaps we can explore this in another article.