k8s API 通過pod內部的python訪問
[英]k8s API Access through python inside the pod
問題描述
我需要獲取 pod 內的資源詳細信息,並根據結果執行一些操作。 我在 pod 內使用 k8s 客戶端 python。 在角色/角色綁定之后,我被禁止了。
我已經創建了如下所示的 Serviceaccount/role/rolebinding。
任何人都可以在這個問題上幫助我。
apiVersion: v1
kind: ServiceAccount
metadata:
name: myaccount
namespace: dev
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev
name: pods-reader-role
rules:
-apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-controller
namespace: dev
subjects:
- kind: ServiceAccount
name: myaccount
apiGroup: ""
roleRef:
kind: Role
name: pods-reader-role
apiGroup: ""
Listing pods with their IPs:
Traceback (most recent call last):
File "/opt/scripts/bin/PodCont.py", line 792, in <module>
main()
File "/opt/scripts/bin/PodCont.py", line 596, in main
ret = v1.list_pod_for_all_namespaces(watch=False)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api/core_v1_api.py", line 16864, in list_pod_for_all_namespaces
return self.list_pod_for_all_namespaces_with_http_info(**kwargs) # noqa: E501
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api/core_v1_api.py", line 16981, in list_pod_for_all_namespaces_with_http_info
collection_formats=collection_formats)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 353, in call_api
_preload_content, _request_timeout, _host)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 184, in __call_api
_request_timeout=_request_timeout)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 377, in request
headers=headers)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 243, in GET
query_params=query_params)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 233, in request
raise ApiException(http_resp=r)
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Mon, 05 Apr 2021 09:47:13 GMT', 'Content-Length': '285'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:dev:deploy-svc-account\" cannot list resource \"pods\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}
1 個解決方案
解決方案1
0 2021-04-06 12:52:39
回答這個問題,我認為有幾點需要考慮:
- 縮進
- 運行
Pod的服務帳戶 - Python 代碼和訪問范圍
由於沒有最小的、可重復的示例,我們最多可以假設您如何准確地配置您的設置。
縮進
您包含的YAML清單將沒有正確縮進。 正確的清單應如下所示:
-
full.yaml:
apiVersion: v1
kind: ServiceAccount
metadata:
name: myaccount
namespace: dev
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev
name: pods-reader-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-controller
namespace: dev
subjects:
- kind: ServiceAccount
name: myaccount
apiGroup: ""
roleRef:
kind: Role
name: pods-reader-role
apiGroup: ""
旁注!
考慮為您的用例創建更具限制性的
Role,因為它允許在dev命名空間中執行所有操作。
運行Pod的服務帳戶
這里的潛在問題是您創建了一個名為myaccount的serviceAccount並且Pod正在嘗試使用deploy-svc-account進行身份驗證。 ( User \"system:serviceaccount:dev:deploy-svc-account\" cannot list resource )
請確保使用正確的serviceAccount來運行Pod 。
例子:
apiVersion: v1
kind: Pod
metadata:
name: sdk
namespace: dev
spec:
serviceAccountName: myaccount # <-- IMPORTANT
containers:
- image: google/cloud-sdk
command:
- sleep
- "infinity"
imagePullPolicy: IfNotPresent
name: sdk
restartPolicy: Always
Python 代碼和訪問范圍
假設您使用了 Kubernetes Python API 庫文檔頁面中的代碼( "Listing pods with their IPs:" )
這里有 2 個主題需要考慮:
- 訪問范圍
- 查詢資源
引用官方文檔:
角色總是在特定的命名空間內設置權限; 創建角色時,必須指定它所屬的命名空間。
您由Role和RoleBinding分配的權限僅適用於dev命名空間。 如果您想擁有完整的集群 scope ,則需要創建一個ClusterRole和一個ClusterRoleBinding 。
我鼓勵您檢查引用中包含的文檔,因為它有一些示例可供參考,並且對此有很多解釋。
另外,關於 Python 代碼的話:
from kubernetes import client, config
# Configs can be set in Configuration class directly or using helper utility
config.load_incluster_config()
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_pod_for_all_namespaces(watch=False)
for i in ret.items:
print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))
專注於:
ret = v1.list_pod_for_all_namespaces(watch=False)
此代碼將從所有命名空間查詢Pods ,這就是為什么您還收到錯誤cannot list resource \"pods\" in API group \"\" at the cluster scope" 。
要列出特定命名空間中的Pods ,您可以使用:
ret = v1.list_namespaced_pod(namespace="dev", watch=False)
這樣你應該能夠得到:
-
python3 program.py:
Listing pods with their IPs:
10.32.0.15 dev sdk
有沒有辦法以編程方式在部署到GKE的k8s容器內檢索應用程序默認API密鑰?
[英]Is there a way to retrieve the Application Default API key programmatically inside a k8s pod deployed to GKE?
Pod 到 pod 通信不適用於 k8s 中的 Python 套接字
[英]Pod-to-pod communication doens't work with Python socket in k8s
使用本機k8s python客戶端與k8s運算符添加的API進行交互
[英]interact with API added by k8s operator using native k8s python client
如何在 python k8s 客戶端中以 root 身份運行“connect_get_namespaced_pod_exec”
[英]How to run 'connect_get_namespaced_pod_exec' as root in python k8s client
Python k8s 客戶端:調用 list_namespaced_pod 時,是否可以在作業名稱查詢中使用通配符?
[英]Python k8s client: is there a way to use wildcards on job-name query, when calling list_namespaced_pod?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
K8s Python 從內部訪問秘密 Kubernetes
使用python客戶端使用客戶端證書進行K8S API訪問
有沒有辦法以編程方式在部署到GKE的k8s容器內檢索應用程序默認API密鑰?
Pod 到 pod 通信不適用於 k8s 中的 Python 套接字
使用本機k8s python客戶端與k8s運算符添加的API進行交互
使用 K8s Ingress + Python 進行 API 網關身份驗證
使用 K8s Python API 創建 Istio 虛擬服務?
為什么我不能在 k8s pod 中殺死 python3 進程?
如何在 python k8s 客戶端中以 root 身份運行“connect_get_namespaced_pod_exec”
Python k8s 客戶端:調用 list_namespaced_pod 時,是否可以在作業名稱查詢中使用通配符?
相關標簽