Skip to content

Instantly share code, notes, and snippets.

@bgeesaman

bgeesaman/fetchbasic.sh

Last active October 31, 2020 01:00
Show Gist options
  • Save bgeesaman/021465cb009c21522f28f9560d3781be to your computer and use it in GitHub Desktop.
Save bgeesaman/021465cb009c21522f28f9560d3781be to your computer and use it in GitHub Desktop.
Download ZIP
Obtain GKE Basic Auth Credentials and use them
Raw
fetchbasic.sh
#!/usr/bin/env bash
CLUSTER_NAME="basicauth"
LOCATION="--zone us-central1-a"
#LOCATION="--region us-central1"
# Get cluster metadata
echo -n "Fetching cluster metadata..."
CLUSTER="$(gcloud container clusters describe ${CLUSTER_NAME} ${LOCATION} --format=json)"
echo "done."
# Encode CA Cert in Base64
CA_CERT_B64="$(echo $CLUSTER | jq -r '.masterAuth.clusterCaCertificate')"
# Get cluster endpoint
GKE_ENDPOINT="$(echo $CLUSTER | jq -r '.endpoint')"
# Get Basic Auth Pass (In GKE, user is hardcoded as "admin"
BASIC_PASS="$(echo $CLUSTER | jq -r '.masterAuth.password')"
echo -n "Writing file: ${CLUSTER_NAME}-kubeconfig..."
cat > "${CLUSTER_NAME}-kubeconfig" <<EOF
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: ${CA_CERT_B64}
server: https://${GKE_ENDPOINT}
name: gke
contexts:
- context:
cluster: gke
user: gke
name: gke
current-context: gke
kind: Config
preferences: {}
users:
- name: gke
user:
password: "${BASIC_PASS}"
username: "admin"
EOF
echo "done."
echo "Running: KUBECONFIG=${CLUSTER_NAME}-kubeconfig kubectl get clusterroles"
sleep 1
KUBECONFIG=${CLUSTER_NAME}-kubeconfig kubectl get clusterroles
echo ""
echo "KUBECONFIG=${CLUSTER_NAME}-kubeconfig kubectl ..."
@bgeesaman
Copy link
Author

bgeesaman commented Jul 23, 2019
edited
Loading

These credentials can be revoked by modifying the live cluster in the GUI console. Under Kubernetes Engine, click the cluster name, then click Edit at the top, and then flip the Basic Authentication dropdown to disabled, and hit save. This causes a cluster update operation just like if you bumped cluster versions, so zonal clusters will have the control plane down for a few minutes and regional clusters you probably wouldn't notice.

Note: For GKE clusters managed via Terraform, changing the basic_auth settings will trigger a cluster destroy and create. This is most likely not what you want. You can disable it via the UI, update the Terraform to match by "blanking" the fields:

resource "google_container_cluster" "primary" {
  name     = "my-gke-cluster"
  location = "us-central1"
...snip...
  master_auth {
    username = ""
    password = ""
  }
}

and running terraform plan to validate no changes and then terraform apply to update the local state.

You might want to alert on access logs to the GKE API for the user/subject admin to know if these credentials have been or are in use.

Clusters built with GKE 1.12+ no longer have basic authentication and client-certificate authentication enabled by default, but your scripts or terraform might enable it, so it's wise to double-check even on newer versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment