无法用 python 客户端完成 kube.netes 集群认证步骤
[英]Cannot complete the kubernetes cluster authentication step with python client
问题描述
I want to authenticate to a kube.netes cluster through python client library from here .
我想从这里通过 python 客户端库向 kube.netes 集群进行身份验证。 The cluster information:集群信息:
Kube.netes control plane is running at https://127.0.0.1:34823
CoreDNS is running at https://127.0.0.1:34823/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
I did all the steps with no problem.我毫无问题地完成了所有步骤。 But in:但在:
curl -s -k -XGET -H "Authorization: Bearer $KIND_TOKEN" -H "Accept: application/json, */*" -H "Content-Type: application/json" \
-H "kubernetes/$Format" 'https://127.0.0.1:34823/api/v1/namespaces/default/pods/example' | jq .status.phase
got error:得到错误:
jq: error (at:12): Cannot index string with string "phase"
Also once I tried to test:还有一次我尝试测试:
from kubernetes import client
import os
configuration = client.Configuration()
configuration.api_key_prefix["authorization"] = "Bearer"
configuration.host = "https://127.0.0.1:34823"
configuration.api_key["authorization"] = os.getenv("KIND_TOKEN", None)
configuration.verify_ssl = False # Only for testing with KinD!
api_client = client.ApiClient(configuration)
v1 = client.CoreV1Api(api_client)
ret = v1.list_namespaced_pod(namespace="default", watch=False)
for pod in ret.items:
print(f"Name: {pod.metadata.name}, Namespace: {pod.metadata.namespace} IP: {pod.status.pod_ip}")
An other error:另一个错误:
MaxRetryError: HTTPConnectionPool(host=' https', port=80): Max retries exceeded with url: //127.0.0.1:34823/api/v1/namespaces/default/pods?watch=False (Caused by ProtocolError('Connection aborted.', InvalidURL("URL can't contain control characters. ' https' (found at least ' ')")))
The jq version is jq-1.6 . jq 版本是jq-1.6 。
1 个解决方案
解决方案1
0 2023-01-03 13:27:47
This document helps you to know more about bearer token authentication本文档帮助您进一步了解不记名令牌认证
Here are the steps for bearer token authentication.以下是不记名令牌身份验证的步骤。
First, create a file with the following contents to create a service account in the desired namespace.首先,创建一个包含以下内容的文件,以在所需的命名空间中创建一个服务帐户。
apiVersion: v1
kind: ServiceAccount
metadata:
name: <name_of_service_account>
The service account will then be created using this file.然后将使用此文件创建服务帐户。
kubectl create -f <path_to_file> --namespace=<namespace_name>
A bearer token that is linked to each service account can be used for authentication.链接到每个服务帐户的不记名令牌可用于身份验证。 The namespace automatically mounts this bearer token as a secret.命名空间自动将此不记名令牌作为秘密安装。 Use the secret's name (of the form " service_account_name>-token-random_string> ) to get to the content in order to determine what this token is.使用机密名称(格式为“ service_account_name>-token-random_string> ”)获取内容以确定此令牌是什么。
# To search for out service account's token name kubectl get secrets --namespace=<namespace_name>
# To find the token name
kubectl describe secret/<secret_name>
After this, you should be able to determine the API server's IP address and the kube.netes cluster's Cluster CA certificate.在此之后,您应该能够确定 API 服务器的 IP 地址和 kube.netes 集群的 Cluster CA 证书。 Go to the Google Cloud Console kube.netes engine detail page to accomplish this. Go 到 Google Cloud Console kube.netes 引擎详细信息页面以完成此操作。 Put the certificate's content into a local file.将证书的内容放入本地文件。
The bearer token can now be used to authenticate with the kube.netes python client in the following ways:不记名令牌现在可用于通过以下方式向 kube.netes python 客户端进行身份验证:
from kubernetes import client
configuration = client.Configuration()
configuration.api_key["authorization"] = '<bearer_token>’
configuration.api_key_prefix['authorization'] = 'Bearer'
configuration.host = 'https://<ip_of_api_server>'
configuration.ssl_ca_cert = '<path_to_cluster_ca_certificate>'
v1 = client.CoreV1Api(client.ApiClient(configuration))
Refer this stack link 1 and stack link 2 will be helpful to resolve your issue请参考此堆栈链接 1和堆栈链接 2将有助于解决您的问题
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.