问题
Objective
I want to connect to and call Kubernetes REST APIs from inside a running pod, the Kubernetes in question is an AWS EKS cluster using IAM authentication. All of this using Kubernetes Python lib.
What I have tried
From inside my python file:
from kubernetes import client, config
config.load_incluster_config()
v1 = client.CoreV1Api()
ret = v1.list_pod_for_all_namespaces(watch=False)
The above command throws a 403 error, This I believe is due to the different auth mechanism that AWS EKS uses.
What I already know works
ApiToken = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.xxx.yyy'
configuration = client.Configuration()
configuration.host = 'https://abc.sk1.us-east-1.eks.amazonaws.com'
configuration.verify_ssl = False
configuration.debug = True
configuration.api_key = {"authorization": "Bearer " + ApiToken}
client.Configuration.set_default(configuration)
While the above works, I have to hardcode a token that I generate locally via kubectl and check it into the code which is a security risk.
Is there a more proper way to authenticate the Kubernetes python lib with AWS EKS?
回答1:
You can use the following method to get the token. This assumes that you have successfully installed and configured aws-iam-authenticator on your pod/server/laptop.
def get_token(cluster_name):
args = ("/usr/local/bin/aws-iam-authenticator", "token", "-i", cluster_name, "--token-only")
popen = subprocess.Popen(args, stdout=subprocess.PIPE)
popen.wait()
return popen.stdout.read().rstrip()
api_token = get_token("<cluster_name>")
configuration = client.Configuration()
configuration.host = '<api_endpoint>'
configuration.verify_ssl = False
configuration.debug = True
configuration.api_key['authorization'] = "Bearer " + api_token
configuration.assert_hostname = True
configuration.verify_ssl = False
client.Configuration.set_default(configuration)
v1 = client.CoreV1Api()
ret = v1.list_pod_for_all_namespaces(watch=False)
print ret
There is an PR for kubernetes-client/python-base that adds support for exec plugins, Attempt to implement exec-plugins support in kubeconfig.
来源:https://stackoverflow.com/questions/52586181/aws-eks-authenticate-kubernetes-python-lib-from-inside-a-pod