0

我的 lisNamespaces.py 文件

from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException

configuration = kubernetes.client.Configuration()
configuration.ssl_ca_cert = 'LS0XXXXXXXXXS0tLQo='
configuration.api_key['authorization'] = 'ZXXXXXXXXXXdw=='
configuration.api_key_prefix['authorization'] = 'Bearer'
configuration.host = 'https://aaaaaaaaaaaaaaa.gr7.us-east-1.eks.amazonaws.com'
#configuration.verify_ssl = False


api_instance = kubernetes.client.CoreV1Api(kubernetes.client.ApiClient(configuration))
api_response = api_instance.list_namespace()
for i in api_response.items:
    print(i.metadata.name)

对于ssl_ca_cert值,我做了kubectl edit secret nameofsa-token-xyze -n default并使用了 ca.crt 值。用户具有集群级别的管理员权限

对于不记名令牌,我使用了相同的用户令牌。

如果我通过设置我的代码来禁用 ssl 验证configuration.verify_ssl = False工作正常但有警告。

我想知道我在这里通过 ssl_ca_cert 时犯了什么错误。请帮我解决一下这个。

4

2 回答 2

2

我犯的错误是将我直接从代码中获得的ca.crt的数据传递给代码。kubectl edit secret nameofsa-token-xyze -n defaultconfiguration.ssl_ca_cert

相反,应该做的是使用base64 --decode我从上面的命令(kubectl edit secret nameofsa-token-xyze -n default)获得的数据解码,这就是我的做法。

kubectl get secrets default-token-nqkdv -n default -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt.

然后我需要在代码中传递 ca.crt 文件的路径,所以最终代码如下所示

from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException

configuration = kubernetes.client.Configuration()
configuration.ssl_ca_cert = 'ca.crt'
configuration.api_key['authorization'] = 'ZXXXXXXXXXXdw=='
configuration.api_key_prefix['authorization'] = 'Bearer'
configuration.host = 'https://aaaaaaaaaaaaaaa.gr7.us-east-1.eks.amazonaws.com'

api_instance = kubernetes.client.CoreV1Api(kubernetes.client.ApiClient(configuration))
api_response = api_instance.list_namespace()
for i in api_response.items:
    print(i.metadata.name)
于 2019-07-23T11:48:28.937 回答
0

您可以使用基本请求测试令牌:

import requests

with open('/path/to/token', 'r') as token_file:
    token=token_file.read()

url = 'https://my-kubernetes-cluster'

headers = {"Authorization":"Bearer "+token}

r = requests.get(url, verify='/path/to/ca_chain.crt', headers=headers)

for line in r.iter_lines():
    print line

如果请求通过,您可以测试此代码:

from kubernetes import client
from kubernetes.client import Configuration, ApiClient
config = Configuration()
config.api_key = {'authorization': 'Bearer <api_key>'}
config.host = 'https://my-kubernetes-cluster'
config.ssl_ca_cert = "/path/to/ca_chain.crt"

api_client = ApiClient(configuration=config)
v1 = client.CoreV1Api(api_client)

v1.list_pod_for_all_namespaces(watch=False)

尝试让我知道它是否适合您。

于 2019-07-23T08:49:59.990 回答