[英]k8s API Access through python inside the pod
我需要獲取 pod 內的資源詳細信息,並根據結果執行一些操作。 我在 pod 內使用 k8s 客戶端 python。 在角色/角色綁定之后,我被禁止了。
我已經創建了如下所示的 Serviceaccount/role/rolebinding。
任何人都可以在這個問題上幫助我。
apiVersion: v1
kind: ServiceAccount
metadata:
name: myaccount
namespace: dev
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev
name: pods-reader-role
rules:
-apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-controller
namespace: dev
subjects:
- kind: ServiceAccount
name: myaccount
apiGroup: ""
roleRef:
kind: Role
name: pods-reader-role
apiGroup: ""
Listing pods with their IPs:
Traceback (most recent call last):
File "/opt/scripts/bin/PodCont.py", line 792, in <module>
main()
File "/opt/scripts/bin/PodCont.py", line 596, in main
ret = v1.list_pod_for_all_namespaces(watch=False)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api/core_v1_api.py", line 16864, in list_pod_for_all_namespaces
return self.list_pod_for_all_namespaces_with_http_info(**kwargs) # noqa: E501
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api/core_v1_api.py", line 16981, in list_pod_for_all_namespaces_with_http_info
collection_formats=collection_formats)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 353, in call_api
_preload_content, _request_timeout, _host)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 184, in __call_api
_request_timeout=_request_timeout)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 377, in request
headers=headers)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 243, in GET
query_params=query_params)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 233, in request
raise ApiException(http_resp=r)
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Mon, 05 Apr 2021 09:47:13 GMT', 'Content-Length': '285'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:dev:deploy-svc-account\" cannot list resource \"pods\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}
回答這個問題,我認為有幾點需要考慮:
Pod
的服務帳戶由於沒有最小的、可重復的示例,我們最多可以假設您如何准確地配置您的設置。
您包含的YAML
清單將沒有正確縮進。 正確的清單應如下所示:
full.yaml
:apiVersion: v1
kind: ServiceAccount
metadata:
name: myaccount
namespace: dev
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev
name: pods-reader-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-controller
namespace: dev
subjects:
- kind: ServiceAccount
name: myaccount
apiGroup: ""
roleRef:
kind: Role
name: pods-reader-role
apiGroup: ""
旁注!
考慮為您的用例創建更具限制性的
Role
,因為它允許在dev
命名空間中執行所有操作。
Pod
的服務帳戶這里的潛在問題是您創建了一個名為myaccount
的serviceAccount
並且Pod
正在嘗試使用deploy-svc-account
進行身份驗證。 ( User \"system:serviceaccount:dev:deploy-svc-account\" cannot list resource
)
請確保使用正確的serviceAccount
來運行Pod
。
例子:
apiVersion: v1
kind: Pod
metadata:
name: sdk
namespace: dev
spec:
serviceAccountName: myaccount # <-- IMPORTANT
containers:
- image: google/cloud-sdk
command:
- sleep
- "infinity"
imagePullPolicy: IfNotPresent
name: sdk
restartPolicy: Always
假設您使用了 Kubernetes Python API 庫文檔頁面中的代碼( "Listing pods with their IPs:"
)
這里有 2 個主題需要考慮:
引用官方文檔:
角色總是在特定的命名空間內設置權限; 創建角色時,必須指定它所屬的命名空間。
您由Role
和RoleBinding
分配的權限僅適用於dev
命名空間。 如果您想擁有完整的集群 scope ,則需要創建一個ClusterRole
和一個ClusterRoleBinding
。
我鼓勵您檢查引用中包含的文檔,因為它有一些示例可供參考,並且對此有很多解釋。
另外,關於 Python 代碼的話:
from kubernetes import client, config
# Configs can be set in Configuration class directly or using helper utility
config.load_incluster_config()
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_pod_for_all_namespaces(watch=False)
for i in ret.items:
print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))
專注於:
ret = v1.list_pod_for_all_namespaces(watch=False)
此代碼將從所有命名空間查詢Pods
,這就是為什么您還收到錯誤cannot list resource \"pods\" in API group \"\" at the cluster scope"
。
要列出特定命名空間中的Pods
,您可以使用:
ret = v1.list_namespaced_pod(namespace="dev", watch=False)
這樣你應該能夠得到:
python3 program.py
:Listing pods with their IPs:
10.32.0.15 dev sdk
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.