Pykube now supports Google Cloud Platform clusters (OAuth2)

I’ve been contributing to Pykube project (https://github.com/kelproject/pykube/) recently to add support for Google Cloud Platform clusters.

Kubernetes has multiple ways of authentication, and Pykube was supporting Bearer Token, Basic Auth and X509 client certificates.

For our use case where we manage 4 Kubernetes clusters (2 baremetal in our datacenter and 2 in GCP) and we want to automate them all, we need this feature to be available.

GCP uses Bearer tokens to authenticate, but those tokens are generated by Google, and they expire after one hour. So, getting the token with kubectl and then using Pykube with Bearer token auth was not enough due to its expiration.

Instead, now Pykube supports full OAuth2 authentication that fetchs the token from GCP if it is not set or if it is expired, the same as kubectl does.

Both user and service GCP accounts work with this library but you need to set your gcloud credentials to make it work.

How to set it up?

User account

You need to login with ‘gcloud’ and then get your credentials:

gcloud container clusters get-credentials NAME [–zone=ZONE, -z ZONE] [GLOBAL-FLAG …]

See: https://cloud.google.com/sdk/gcloud/reference/container/clusters/get-credentials

That will configure your ~/.kube/config file with the GCP cluster data and it will also create ~/.config/gcloud/application_default_credentials.json with some personal credentials needed to get new tokens when they expire.

Pykube will use the refresh_token located in that .json file as an identity to update tokens.

Service account

Services account works in a different way, they don’t use refresh_tokens, but instead they use a private key to generate a JWT assertion in order to get a new token.

When you create a service account in GCP you will download a .json private file with that private key and other credentials.

To make Pykube work you only need to put that .json file in the well known location ~/.config/gcloud/application_default_credentials.json

Of course, this well known location can be overriden using the env var ‘GOOGLE_APPLICATION_CREDENTIALS’ (https://developers.google.com/identity/protocols/application-default-credentials)