[英]Python client for accessing kubernetes cluster on GKE
I am struggling to programmatically access a kubernetes cluster running on Google Cloud.我正在努力以编程方式访问在 Google Cloud 上运行的 kubernetes 集群。 I have set up a service account and pointed GOOGLE_APPLICATION_CREDENTIALS
to a corresponding credentials file.我已经设置了一个服务帐户并将GOOGLE_APPLICATION_CREDENTIALS
指向相应的凭据文件。 I managed to get the cluster and credentials as follows:我设法获得了集群和凭据,如下所示:
import google.auth
from google.cloud.container_v1 import ClusterManagerClient
from kubernetes import client
credentials, project = google.auth.default(
scopes=['https://www.googleapis.com/auth/cloud-platform',])
credentials.refresh(google.auth.transport.requests.Request())
cluster_manager = ClusterManagerClient(credentials=credentials)
cluster = cluster_manager.get_cluster(project, 'us-west1-b', 'clic-cluster')
So far so good.到目前为止,一切都很好。 But then I want to start using the kubernetes client:但后来我想开始使用 kubernetes 客户端:
config = client.Configuration()
config.host = f'https://{cluster.endpoint}:443'
config.verify_ssl = False
config.api_key = {"authorization": "Bearer " + credentials.token}
config.username = credentials._service_account_email
client.Configuration.set_default(config)
kub = client.CoreV1Api()
print(kub.list_pod_for_all_namespaces(watch=False))
And I get an error message like this:我收到这样的错误消息:
pods is forbidden: User "12341234123451234567" cannot list resource "pods" in API group "" at the cluster scope: Required "container.pods.list" permission. pods 被禁止:用户“12341234123451234567”不能在集群 scope 的 API 组“”中列出资源“pods”:需要“container.pods.list”权限。
I found this website describing the container.pods.list
, but I don't know where I should add it, or how it relates to the API scopes described here .我发现 这个网站描述了container.pods.list
,但我不知道应该在哪里添加它,或者它与此处描述的 API 范围有何关系。
As per the error:根据错误:
pods is forbidden: User "12341234123451234567" cannot list resource "pods" in API group "" at the cluster scope: Required "container.pods.list" permission. pods 被禁止:用户“12341234123451234567”不能在集群 scope 的 API 组“”中列出资源“pods”:需要“container.pods.list”权限。
it seems evident the user credentials you are trying to use, does not have permission on listing the pods.很明显,您尝试使用的用户凭据没有列出 pod 的权限。
The entire list of permissions mentioned in https://cloud.google.com/kubernetes-engine/docs/how-to/iam , states the following: https://cloud.google.com/kubernetes-engine/docs/how-to/iam中提到的完整权限列表如下:
There are different Role which can play into account here:这里可以考虑不同的角色:
Kubernetes Engine Cluster Admin
, Kubernetes Engine Cluster Viewer
, Kubernetes Engine Developer
& Kubernetes Engine Viewer
If you are able to get cluster, then it is covered with multiple Role sections like: Kubernetes Engine Cluster Admin
, Kubernetes Engine Cluster Viewer
, Kubernetes Engine Developer
& Kubernetes Engine Viewer
kub.list_pod_for_all_namespaces(watch=False)
then you might need Kubernetes Engine Viewer
access.然而,如果您想列出 pod kub.list_pod_for_all_namespaces(watch=False)
,那么您可能需要Kubernetes Engine Viewer
访问权限。You should be able to add multiple roles.您应该能够添加多个角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.