问题
my lisNamespaces.py file
from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException
configuration = kubernetes.client.Configuration()
configuration.ssl_ca_cert = 'LS0XXXXXXXXXS0tLQo='
configuration.api_key['authorization'] = 'ZXXXXXXXXXXdw=='
configuration.api_key_prefix['authorization'] = 'Bearer'
configuration.host = 'https://aaaaaaaaaaaaaaa.gr7.us-east-1.eks.amazonaws.com'
#configuration.verify_ssl = False
api_instance = kubernetes.client.CoreV1Api(kubernetes.client.ApiClient(configuration))
api_response = api_instance.list_namespace()
for i in api_response.items:
print(i.metadata.name)
For ssl_ca_cert value i did kubectl edit secret nameofsa-token-xyze -n default
and used ca.crt value. user has cluster level admin permissions
For bearer token i have used same user TOKEN.
If i disable ssl verification by setting configuration.verify_ssl = False
my code works fine but with an warining.
i want to know what mistake i am doing here in passing ssl_ca_cert. please help me with this.
回答1:
Mistake i did was to pass data of ca.crt which i got from kubectl edit secret nameofsa-token-xyze -n default
directly to configuration.ssl_ca_cert
in the code.
Instead what should be done is to decode the data using base64 --decode
, which i got from above command(kubectl edit secret nameofsa-token-xyze -n default
), this is how i did it.
kubectl get secrets default-token-nqkdv -n default -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt
.
Then i need to pass the path of ca.crt file in the code, so final code look like below
from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException
configuration = kubernetes.client.Configuration()
configuration.ssl_ca_cert = 'ca.crt'
configuration.api_key['authorization'] = 'ZXXXXXXXXXXdw=='
configuration.api_key_prefix['authorization'] = 'Bearer'
configuration.host = 'https://aaaaaaaaaaaaaaa.gr7.us-east-1.eks.amazonaws.com'
api_instance = kubernetes.client.CoreV1Api(kubernetes.client.ApiClient(configuration))
api_response = api_instance.list_namespace()
for i in api_response.items:
print(i.metadata.name)
回答2:
You can test the token with basic request:
import requests
with open('/path/to/token', 'r') as token_file:
token=token_file.read()
url = 'https://my-kubernetes-cluster'
headers = {"Authorization":"Bearer "+token}
r = requests.get(url, verify='/path/to/ca_chain.crt', headers=headers)
for line in r.iter_lines():
print line
If the request goes through you can test this code:
from kubernetes import client
from kubernetes.client import Configuration, ApiClient
config = Configuration()
config.api_key = {'authorization': 'Bearer <api_key>'}
config.host = 'https://my-kubernetes-cluster'
config.ssl_ca_cert = "/path/to/ca_chain.crt"
api_client = ApiClient(configuration=config)
v1 = client.CoreV1Api(api_client)
v1.list_pod_for_all_namespaces(watch=False)
Try and let me know if it works for you.
来源:https://stackoverflow.com/questions/57158867/having-problem-in-authenticating-kubernetes-python-client