在验证kubernetes python客户端时遇到问题

时间:2019-07-23 07:29:56

标签: kubernetes ssl-client-authentication kubernetes-python-client

我的lisNamespaces.py文件

from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException

configuration = kubernetes.client.Configuration()
configuration.ssl_ca_cert = 'LS0XXXXXXXXXS0tLQo='
configuration.api_key['authorization'] = 'ZXXXXXXXXXXdw=='
configuration.api_key_prefix['authorization'] = 'Bearer'
configuration.host = 'https://aaaaaaaaaaaaaaa.gr7.us-east-1.eks.amazonaws.com'
#configuration.verify_ssl = False


api_instance = kubernetes.client.CoreV1Api(kubernetes.client.ApiClient(configuration))
api_response = api_instance.list_namespace()
for i in api_response.items:
    print(i.metadata.name)

对于 ssl_ca_cert 值,我做了kubectl edit secret nameofsa-token-xyze -n default并使用了ca.crt值。用户具有集群级别的管理员权限

对于不记名令牌,我使用了相同的用户令牌。

如果我通过设置configuration.verify_ssl = False来禁用ssl验证,则我的代码可以正常运行,但会发出警告。

我想知道我在通过ssl_ca_cert时犯了什么错误。请帮助我。

2 个答案:

答案 0 :(得分:1)

我犯的错误是将我从kubectl edit secret nameofsa-token-xyze -n default获得的 ca.crt 数据直接传递给代码中的configuration.ssl_ca_cert

相反,应该做的是使用base64 --decode解码数据,这是我从上述命令(kubectl edit secret nameofsa-token-xyze -n default)获得的,这就是我的方法。

kubectl get secrets default-token-nqkdv -n default -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt

然后我需要在代码中传递ca.crt文件的路径,因此最终代码如下所示:

from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException

configuration = kubernetes.client.Configuration()
configuration.ssl_ca_cert = 'ca.crt'
configuration.api_key['authorization'] = 'ZXXXXXXXXXXdw=='
configuration.api_key_prefix['authorization'] = 'Bearer'
configuration.host = 'https://aaaaaaaaaaaaaaa.gr7.us-east-1.eks.amazonaws.com'

api_instance = kubernetes.client.CoreV1Api(kubernetes.client.ApiClient(configuration))
api_response = api_instance.list_namespace()
for i in api_response.items:
    print(i.metadata.name)

答案 1 :(得分:0)

您可以使用基本请求测试令牌:

import requests

with open('/path/to/token', 'r') as token_file:
    token=token_file.read()

url = 'https://my-kubernetes-cluster'

headers = {"Authorization":"Bearer "+token}

r = requests.get(url, verify='/path/to/ca_chain.crt', headers=headers)

for line in r.iter_lines():
    print line

如果请求通过,您可以测试以下代码:

from kubernetes import client
from kubernetes.client import Configuration, ApiClient
config = Configuration()
config.api_key = {'authorization': 'Bearer <api_key>'}
config.host = 'https://my-kubernetes-cluster'
config.ssl_ca_cert = "/path/to/ca_chain.crt"

api_client = ApiClient(configuration=config)
v1 = client.CoreV1Api(api_client)

v1.list_pod_for_all_namespaces(watch=False)

尝试让我知道它是否适合您。

相关问题
最新问题