如何增加 gcloud 重新身份验证超时?目前每 1 小时过期一次
我运行以下命令,
- 使用我的公司电子邮件 ID (ldap) 向 google cloud 进行身份验证
- ,以更新本地计算机上的 kubeconfig 文件,
- 使用 kube-api-proxy 从本地计算机访问 k8s 控制平面。 (我使用此代理来访问控制平面,因为 GKE 控制平面 vpc 和我的公司网络之间没有 VPC 对等)
gcloud auth login --no-launch-browser ## I use corporate email id to authenticate
gcloud container clusters get-credentials <>gke_cluster_name> --region <region> --project <gcp_project>
export https_proxy=<kube_api_proxy>:8118 ## Proxy to connect to k8s controlplane
kubectl get no
每隔 1 小时,我必须重复上述步骤来重新进行身份验证,因为我会失败并出现以下错误,否则当我尝试连接到 k8S
Unable to connect to the server: error executing access token command "/usr/lib64/google-cloud-sdk/bin/gcloud
config config-helper --format=json": err=exit status 1 output= stderr=ERROR: gcloud crashed (TransportError):
HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token
(Caused by ProxyError('Cannot connect to proxy.',
OSError('Tunnel connection failed: 403 Request blocked by Privoxy')))
有没有办法可以增加这个超时,比如说 4 小时左右,因为我有一个运行超过 1 小时的作业,并且由于超时而在中间失败。
I run below commands
- to authenticate to google cloud with my corporate email id (ldap)
- to update my kubeconfig file on my on-premis machine
- access to k8s control plane from on-premis machine using kube-api-proxy. (I use this proxy to reach control plane as there is no VPC peering between GKE control plane vpc and my corporate network)
gcloud auth login --no-launch-browser ## I use corporate email id to authenticate
gcloud container clusters get-credentials <>gke_cluster_name> --region <region> --project <gcp_project>
export https_proxy=<kube_api_proxy>:8118 ## Proxy to connect to k8s controlplane
kubectl get no
Every 1 hour, I have to repeat above steps to re-authenticate as I fail with below error otherwise when I try to connect to k8S
Unable to connect to the server: error executing access token command "/usr/lib64/google-cloud-sdk/bin/gcloud
config config-helper --format=json": err=exit status 1 output= stderr=ERROR: gcloud crashed (TransportError):
HTTPSConnectionPool(host='oauth2.googleapis.com', port=443): Max retries exceeded with url: /token
(Caused by ProxyError('Cannot connect to proxy.',
OSError('Tunnel connection failed: 403 Request blocked by Privoxy')))
Is there a way I can increase this timeout, let's say 4 hours or so, as I have a job that runs more than 1 hour and it fails in middle due to timeout.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
CLI gcloud 创建有效期为 3,600 秒的 OAuth 访问令牌。这是非组织项目支持的最大生命周期。这也是您正在使用的用户身份的最长生命周期。
要延长组织的令牌生命周期,您必须从服务帐户创建凭据并设置支持生命周期为 12 小时的令牌的组织策略约束 constraints/iam.allowServiceAccountCredentialLifetimeExtension。 链接
但是,我不知道在 CLI 中使用该约束而无需修改 CLI 源代码(用 Python 编写)的方法。我从未进行过这种更改,因为编写自己的代码要容易得多。
相反,编写您自己的令牌生成器。互联网上有很多源代码示例。我写了一篇文章,其中包含源代码 链接。将我的代码中的这一行更改为所需的时间:
总结:
The CLI gcloud creates OAuth Access Tokens that are valid for 3,600 seconds. That is the maximum lifetime supported for non-organization projects. This is also the maximum lifetime for user identities, which you are using.
To increase the token lifetime for an Organization, you must create credentials from a service account and set the Organization Policy Constraint constraints/iam.allowServiceAccountCredentialLifetimeExtension which supports tokens with a lifetime of 12 hours. link
However, I am not aware of a method of using that constraint within the CLI without modifying the source code of the CLI, which is written in Python. I have never made this change because writing my own code is much easier.
Instead, write your own token generator. There are many source code examples on the Internet. I wrote an article which includes source code link. Change this line in my code to the time desired:
In Summary: