getting credentials: exec: executable gke-gcloud-auth-plugin not found - How to pass gcloud creds?

[jayabalan1992]

`$ docker run -it --rm -v "${HOME}/.kube/config:/.kubeconfig" kubent:1.0 -k /.kubeconfig

6:07PM INF >>>Kube No Trouble kubent <<<
6:07PM INF version dev (git sha dev)
6:07PM INF Initializing collectors and retrieving data
6:07PM INF Retrieved 0 resources from collector name=Cluster
6:07PM ERR Failed to retrieve data from collector error="list: failed to list: Get "https:///api/v1/secrets?labelSelector=owner%3Dhelm": getting credentials: exec: executable gke-gcloud-auth-plugin not found" name="Helm v3"
6:07PM INF Loaded ruleset name=custom.rego.tmpl
6:07PM INF Loaded ruleset name=deprecated-1-16.rego
6:07PM INF Loaded ruleset name=deprecated-1-22.rego
6:07PM INF Loaded ruleset name=deprecated-1-25.rego
6:07PM INF Loaded ruleset name=deprecated-1-26.rego

6:07PM INF Loaded ruleset name=deprecated-future.rego`

Note: kubent:1.0 is the image I locally built from the Dockerfile given in this repo with platform=linux/arm64

I tried to mount the gcloud local directory ( -v "${HOME}/.config/gcloud:/root/.config/gcloud") as volume into the container but that didn't help. How can I pass gcloud auth creds inside the container?

[stepanstipl]

Thanks for raising this - this is an issue due to K8S moving auth plugins out of tree¹. We will probably want to add the gke-gcloud-auth-plugin to the image, but AFAIK gke-gcloud-auth-plugin is only distributed as part of the Python Google Cloud SDK, which has a lot of dependencies and would be a bit of PITA to add to our otherwise clean and tiny image.

One option seems to be to put back the gcp auth library (see ²), and generate credentials with USE_GKE_GCLOUD_AUTH_PLUGIN=False.

Seems to me that none of these options are good. On one side we will have to include whole Python + Cloud SDK stack -> big image, with tons of stuff we don't need, or we would require users to regenerate their config with the above variable.

Atm. I don't see an easy way out.

Footnotes

1. https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke ↩

2. https://github.com/kubernetes/cloud-provider-gcp/tree/master/pkg/clientauthplugin ↩

[stepanstipl]

Oh - looks like a good soul has rewritten the auth plugin in Go ¹. Fix for this would then be easy - add this binary to the container. I haven't tested it, so I guess it depends on if it really is a drop-in replacement for the official plugin.

Footnotes

1. https://github.com/traviswt/gke-auth-plugin ↩

[github-actions]

This issue has not seen any activity in last 60 days, and has been marked as stale.

[github-actions]

This issue was closed because it has been stalled for 90 days with no activity.

[krisztiansala]

This should not be closed, I ran into the same error and it makes this tool unusable with GKE