我想从正在运行的Pod内部连接并调用Kubernetes REST API,有问题的Kubernetes是使用IAM身份验证的AWS EKS集群。所有这些都使用Kubernetes Python库。
从我的python file里面:
from kubernetes import client, config
config.load_incluster_config()
v1 = client.CoreV1Api()
ret = v1.list_pod_for_all_namespaces(watch=False)
上面的命令抛出403错误,我认为这是由于AWS EKS使用的身份验证机制不同。
ApiToken = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.xxx.yyy'
configuration = client.Configuration()
configuration.host = 'https://abc.sk1.us-east-1.eks.amazonaws.com'
configuration.verify_ssl = False
configuration.debug = True
configuration.api_key = {"authorization": "Bearer " + ApiToken}
client.Configuration.set_default(configuration)
虽然上述方法有效,但我必须对通过kubectl在本地生成的令牌进行硬编码,并将其检入代码中,这是安全隐患。
是否存在使用AWS EKS对Kubernetes python库进行身份验证的更正确方法?
答案 0 :(得分:0)
您可以使用以下方法获取令牌:
def get_token(cluster_name):
args = ("/usr/local/bin/aws-iam-authenticator", "token", "-i", cluster_name, "--token-only")
popen = subprocess.Popen(args, stdout=subprocess.PIPE)
popen.wait()
return popen.stdout.read().rstrip()
api_token = get_token("<cluster_name>")
configuration = client.Configuration()
configuration.host = '<api_endpoint>'
configuration.verify_ssl = False
configuration.debug = True
configuration.api_key['authorization'] = "Bearer " + api_token
configuration.assert_hostname = True
configuration.verify_ssl = False
client.Configuration.set_default(configuration)
v1 = client.CoreV1Api()
ret = v1.list_pod_for_all_namespaces(watch=False)
print ret
有一个kubernetes-client / python-base的PR,它增加了对exec插件Attempt to implement exec-plugins support in kubeconfig的支持。