stackoom
  简体   繁体   中英

How to config k8s client so that it can talk to k8s CRDs from a k8s cluster pod?

 原文  2019-02-07 18:56:43       kubernetes/ google-api-java-client/ kubernetes-ingress/ kubernetes-pod

Question

The examples in the k8s java client all use default client, see here . 

ApiClient client = Config.defaultClient();
Configuration.setDefaultApiClient(client);

How I can config k8s client so that it can talk to k8s CRDs (say, sparkoperator) from a k8s cluster pod? How should I config this client? (basePath, authentications?) And what is the basePath I should use within a pod in the same k8s cluster?

2 answers

solution1
 1  2019-02-08 14:19:30

You can use the defaultClient for that as well.

The defaultClient() method will create a in-cluster client if the application is running inside the cluster and has the correct service account.

You can see the rules for defaultClient from comments on the method here : 

/**
   * Easy client creation, follows this plan
   *
   * <ul>
   *   <li>If $KUBECONFIG is defined, use that config file.
   *   <li>If $HOME/.kube/config can be found, use that.
   *   <li>If the in-cluster service account can be found, assume in cluster config.
   *   <li>Default to localhost:8080 as a last resort.
   * </ul>
   *
   * @return The best APIClient given the previously described rules
   */

So if the application using the k8s java client, run on the cluster it self, it should be able to access stuff on the cluster as long as it has correct permission. You need to allow your client application to be able to access the CRDs, like this example of ClusterRole for CRDs of Prometheus Operator : 

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: prometheus-crd-view
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["monitoring.coreos.com"]
  resources: ["alertmanagers", "prometheuses", "prometheusrules", "servicemonitors"]
  verbs: ["get", "list", "watch"]

solution2
 0  2019-02-08 09:58:00

You can use Kubernetes API, you just need to install curl.

curl http://localhost:8080/api/v1/namespaces/default/pods

Just change the localhost to apiserver ip address / dns name

You should read the Kubernetes API documentation .

Also, you will need to configure RBAC for access and permissions. Containers inside a cluster are populated with a token that is being used to authenticate to the API server. You can verify that by executing cat /var/run/secrets/kubernetes.io/serviceaccount/token inside the POD .

With that, your request to the apiserver from inside the container, might look like the following: 

curl -ik \
     -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
     https://kubernetes.default.svc.cluster.local/api/v1/namespaces/default/pods

You can also install the kubectl inside the container, also setting needed permissions, see this for more details .

I recommend following reads Installing kubectl in a Kubernetes Pod and The Kubernetes API call is coming from inside the cluster!

As for other Java clients there are also unofficial client libraries like Java (OSGi) and Java (Fabric8, OSGi) .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Launching a pod in a different k8s cluster from a pod running in a different k8s cluster k8s cluster pod terminates process K8s pod ImagePullBackoff K8s: Multicontainered pod How to connect to k8s api server within a pod using k8s java client Deploy a k8s cluster Communication in k8s cluster Migration K8S cluster Access K8S API from a pod connect to pod from outside (k8s)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM