stackoom
  简体   繁体   中英

Kubernetes in-cluster authentication

 原文  2020-05-29 15:36:35       python/ kubernetes/ azure-aks

Question

it seems that my AKS cluster is unable to perform basic requests to the k8s api, ie using the in-cluster token for the pods. Everything works fine when I use the same code from my local machine, ie with config.load_kube_config .

I am using the python k8s client 11.0.0, and I am loading the configuration through config.load_incluster_config() . I get the following error:

HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

when trying to simply list my pods (using client.list_namespaced_pod ). I also tried to perform a raw get request, but same result.

I tried to extend the cluster role to specifically access the resources, here my clusterrole and clusterrolebinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: clusterrolename
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - namespaces
  verbs:
  - get
  - list
- apiGroups:
  - metrics.k8s.io
  resources:
  - '*'
  verbs:
  - get
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: clusterrolebindingname
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: clusterrolename
subjects:
- kind: ServiceAccount
  name: default
  namespace: mynamespace

but I have always the same result.

The same approach does not work equally on linux and windows nodes.

The use of the very same approach was successful before on linux machine (pure linux cluster).

Could it be related to the SDK version? Could it be something different in the cluster? Does anyone know how I could retrieve a list of the authorisation for any specific ServiceAccount?

2 answers

solution1
 1  2020-05-29 16:13:02

You can check specific permission of a service account in a specific namespace using below command

kubectl auth can-i get pods --as=system:serviceaccount:mynamespace:default -n mynamespace

If the above command returns no that means the service account does not have right RBAC.

To list all permission of a service account use

kubectl auth can-i --list --as=system:serviceaccount:mynamespace:default

To know more use kubectl auth can-i -h

solution2
 1  2020-05-29 20:58:58

the pod had indeed the necessary rights. The error was in the wrong initialisation of the api_client instance, which I performed separately just calling client.Configuration().

I solved the problem avoiding to initialise the api_client instance, and importing the one directly from client.CoreV1Api.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Cannot complete the kubernetes cluster authentication step with python client Authenticate with Kubernetes cluster with token Unable to deploy pgadmin on a Kubernetes cluster Connect to existing Kubernetes Dask cluster Deploy sentry helm in kubernetes cluster How to reduce the retry count for kubernetes cluster in kubernetes-client-python FileNotFoundError Python-Flask/Docker in Kubernetes Cluster Setting Up Prometheus with Python in Kubernetes Cluster Cannot connect to the server deployed on kubernetes cluster Running PySpark job on Kubernetes spark cluster
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM