Kubescape GKE is based on the official GCP SDK and it supports authentication based on the local execution context of the CLI:
- GOOGLE_APPLICATION_CREDENTIALS environment variable or
- ~/.config/gcloud/application_default_credentials.json file
Make sure that one of them is defined properly in the execution context of Kubescape.
If you're missing the
application_default_credentials.json, but you do have GCP access from the shell, run the following command to create it:
gcloud auth application-default login
Make sure that this command works
gcloud container clusters describe <cluster name> --zone <cluster zone> --project <GCP project>
Kubescape in-cluster components can be authorized to access Google Container Registry (for container vulnerability scanning) and Google Kubernetes Engine (for Kubernetes risk assestment). Both authorizations are supported using GKE workload identities.
Workload identity support
The workload identity is not enabled by default in GKE as of today. Please makes sure you are not interfering with existing application in the cluster by enabling it.
Check that your cluster has workload identity enabled by running this command:
gcloud container clusters describe <CLUSTER_NAME> | grep workloadPool
We have prepared a ready to use recipe for setting this up, see it here
Updated 11 months ago