Python 客户端,用于访问 GKE 上的 kubernetes 集群
[英]Python client for accessing kubernetes cluster on GKE
问题描述
I am struggling to programmatically access a kubernetes cluster running on Google Cloud.
我正在努力以编程方式访问在 Google Cloud 上运行的 kubernetes 集群。 I have set up a service account and pointed GOOGLE_APPLICATION_CREDENTIALS to a corresponding credentials file.我已经设置了一个服务帐户并将GOOGLE_APPLICATION_CREDENTIALS指向相应的凭据文件。 I managed to get the cluster and credentials as follows:我设法获得了集群和凭据,如下所示:
import google.auth
from google.cloud.container_v1 import ClusterManagerClient
from kubernetes import client
credentials, project = google.auth.default(
scopes=['https://www.googleapis.com/auth/cloud-platform',])
credentials.refresh(google.auth.transport.requests.Request())
cluster_manager = ClusterManagerClient(credentials=credentials)
cluster = cluster_manager.get_cluster(project, 'us-west1-b', 'clic-cluster')
So far so good.到目前为止,一切都很好。 But then I want to start using the kubernetes client:但后来我想开始使用 kubernetes 客户端:
config = client.Configuration()
config.host = f'https://{cluster.endpoint}:443'
config.verify_ssl = False
config.api_key = {"authorization": "Bearer " + credentials.token}
config.username = credentials._service_account_email
client.Configuration.set_default(config)
kub = client.CoreV1Api()
print(kub.list_pod_for_all_namespaces(watch=False))
And I get an error message like this:我收到这样的错误消息:
pods is forbidden: User "12341234123451234567" cannot list resource "pods" in API group "" at the cluster scope: Required "container.pods.list" permission. pods 被禁止:用户“12341234123451234567”不能在集群 scope 的 API 组“”中列出资源“pods”:需要“container.pods.list”权限。
I found this website describing the container.pods.list , but I don't know where I should add it, or how it relates to the API scopes described here .我发现 这个网站描述了container.pods.list ,但我不知道应该在哪里添加它,或者它与此处描述的 API 范围有何关系。
1 个解决方案
解决方案1
2 已采纳 2019-10-06 11:50:13
As per the error:根据错误:
pods is forbidden: User "12341234123451234567" cannot list resource "pods" in API group "" at the cluster scope: Required "container.pods.list" permission.
it seems evident the user credentials you are trying to use, does not have permission on listing the pods.很明显,您尝试使用的用户凭据没有列出 pod 的权限。
The entire list of permissions mentioned in https://cloud.google.com/kubernetes-engine/docs/how-to/iam , states the following: https://cloud.google.com/kubernetes-engine/docs/how-to/iam中提到的完整权限列表如下:
There are different Role which can play into account here:这里可以考虑不同的角色:
- If you are able to get cluster, then it is covered with multiple Role sections like:
Kubernetes Engine Cluster Admin,Kubernetes Engine Cluster Viewer,Kubernetes Engine Developer&Kubernetes Engine ViewerIf you are able to get cluster, then it is covered with multiple Role sections like: Kubernetes Engine Cluster Admin,Kubernetes Engine Cluster Viewer,Kubernetes Engine Developer&Kubernetes Engine Viewer - Whereas, if you want to list pods
kub.list_pod_for_all_namespaces(watch=False)then you might needKubernetes Engine Vieweraccess.然而,如果您想列出 pod kub.list_pod_for_all_namespaces(watch=False),那么您可能需要Kubernetes Engine Viewer访问权限。
You should be able to add multiple roles.您应该能够添加多个角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.