一直试图让kubernetes的python客户端按预期工作。祝你好运config.load_kube_config()
现在我想使用远程机器上的Python客户端,它既没有kubectl也没有~/.kube/config。尝试了python客户端API引用,例如this
段:
from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException
from pprint import pprint
# Configure API key authorization: BearerToken
configuration = kubernetes.client.Configuration()
configuration.api_key['authorization'] = 'YOUR_API_KEY'
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['authorization'] = 'Bearer'
首先,我似乎需要使用默认的service-account-token,其中包含:
configuration.api_key['authorization'] = 'YOUR_API_KEY
很快意识到在看到很多[SSL: CERTIFICATE_VERIFY_FAILED]
有人可以提示我从新安装中获取此信息的位置吗? 使用kubeadm打开这个集群。
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.2", GitCommit:"5fa2db2bd46ac79e5e00a4e6ed24191080aa463b", GitTreeState:"clean", BuildDate:"2018-01-18T21:10:44Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.2", GitCommit:"5fa2db2bd46ac79e5e00a4e6ed24191080aa463b", GitTreeState:"clean", BuildDate:"2018-01-18T09:42:01Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
< ---------编辑以下---------->
使用以下方式管理从master获取令牌:
$ kubectl describe secret $(kubectl get secrets | grep default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t'
以上结果在以下Python代码段中命名为ApiToken。
from kubernetes import client, config
from kubernetes.client.rest import ApiException
ApiToken = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbXF0eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjA5NWQ3ZGVhLTA5MDgtMTFlOC04NTFiLTA4MDAyNzk0OGE2OSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.DBk6gyh4BFy-Gc94dihasYXLbspMvMEjuzFS-AEyNUwk6pR1zsdYOqxo5J-0t6qHN09JyyNK5Oz75cR6bYOGxir1a7SveQpXly4S2Iu3K3o6n8ys_kdP4lNMgBZy--rE0h4neG9s91ven36XP4nYZMwvWal56w39nCUmkomR2-DfhaD4-_Mqq2bd7lmETNinD2hpzTa9cf46VTTY0kcIwhk8FzxEtPA3kxoZul0AfpZT2QlyzLk9fTBRPjd57XbktBgQmiO2wppa_A1KN1Kg83fk1p40hSfY4Vf7Dr76rmKgAUVae-qkN725FWj-4NqzktjyAqalli5jcHo2leJv0A'
configuration = client.Configuration()
configuration.host = 'https://192.168.0.110:6443'
configuration.verify_ssl=False
configuration.debug = True
configuration.api_key={"authorization":"Bearer "+ ApiToken}
client.Configuration.set_default(configuration)
kubeApi = client.CoreV1Api()
try:
allPods = kubeApi.list_pod_for_all_namespaces(watch=False)
except ApiException as e:
print("Exception when calling CoreV1Api->list_pod_for_all_namespaces: %s\n" % e)
回复是HTTP/1.1 403 Forbidden消息。
reply: 'HTTP/1.1 403 Forbidden\r\n'
2018-02-10 09:37:49,801 DEBUG https://192.168.0.110:6443 "GET /api/v1/pods?watch=False HTTP/1.1" 403 243
header: Content-Type header: X-Content-Type-Options header: Date header: Content-Length Exception when calling CoreV1Api->list_pod_for_all_namespaces: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Sat, 10 Feb 2018 04:07:46 GMT', 'Content-Length': '243'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:default:default\" cannot list pods at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}
现在对此阶段进行排除。
答案 0 :(得分:3)
也许你需要令牌。
可以在kube-system命名空间中使用任何秘密:
$ kubectl get secrets -n kube-system
$ kubectl describe secret/{secret_name} -n kube-system
答案 1 :(得分:0)
[root@master1 ~]# APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
[root@master1 ~]# SECRET_NAME=$(kubectl get secrets | grep ^default | cut -f1 -d ' ')
[root@master1 ~]# TOKEN=$(kubectl describe secret $SECRET_NAME | grep -E '^token' | cut -f2 -d':' | tr -d " ")
[root@master1 ~]# curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "11.127.4.111:6443"
}
]
}[root@master1 ~]#
答案 2 :(得分:0)
如果您正在运行kubectl版本,并且只想重用这些凭据,那么这就是您需要的代码:
from kubernetes import config
config.load_kube_config()
如果您想获得更多示例以查看在正确代码的上下文中使用的示例,请在此处查看: https://github.com/kubernetes-client/python/tree/master/examples