如何在Kubernetes Python客户端中指定ca_bundle [英] How to specify ca_bundle in Kubernetes Python client
问题描述
我正在尝试使用 Kubernetes Python客户端连接到我的Kubernetes集群.该API位于我的CA签署的SSL证书的后面.如果我尝试访问任何API,都会收到有关证书验证失败的SSL错误.
I am trying to use the Kubernetes Python client to connect to my Kubernetes cluster. The API is behind an SSL certificate signed by my CA. If I try to access any API, I get an SSL error about certificate verification failing.
我找到了 v1beta1_api_service_spec.py 库,该库具有用于ca_bundle的参数以验证证书,但是 core_v1_api.py 和
I found a v1beta1_api_service_spec.py library that has a parameter for ca_bundle to verify the certificate, but the core_v1_api.py and api_client.py do not have parameter options for ca_bundle.
如何通过CA证书,以便可以通过HTTPS访问API?
How do I pass the CA certificate so I can access the API over HTTPS?
基于Matthew的指针,我能够找出问题所在.最初,我使用Kubernetes配置模块从〜/.kube/config文件加载配置.
Based on Matthew's pointer, I was able to figure out the problem. Initially, I was using the Kubernetes config module to load the configuration from the ~/.kube/config file.
from kubernetes import client, config
config.load_kube_config()
这在我正在测试的客户端上不起作用,但是kubectl在我的PC上运行,因此我检查了一下,发现.kube/config文件未指定CA证书.我添加了它,然后它起作用了.
This wasn't working on the client I was testing on, but kubectl was working from my PC, so I checked, and found that the .kube/config file did not specify the CA cert. I added it in, and then it worked.
apiVersion: v1
clusters:
- cluster:
api-version: v1
certificate-authority: /path/to/ca_chain.crt
server: "https://my-kubernetes-cluster"
...
如果您不想在主机上创建.kube/config文件,我还能够弄清楚如何手动构建配置.
I also was able to figure out how to manually build the configuration if you do not want to create the .kube/config file on the host.
from kubernetes import client
from kubernetes.client import Configuration, ApiClient
config = Configuration()
config.api_key = {'authorization': 'Bearer <api_key>'}
config.host = 'https://my-kubernetes-cluster'
config.ssl_ca_cert = "/path/to/ca_chain.crt"
api_client = ApiClient(configuration=config)
v1 = client.CoreV1Api(api_client)
v1.list_pod_for_all_namespaces(watch=False)
推荐答案
似乎有两个答案:
- RESTClientObject中的注释表示他们正在使用
urllib3接受与SSL管理相关的kwargs ,包括您感兴趣的关闭SSL验证的功能.提到的configuration变量通过直接从ApiClient .__ init__
- the comment in RESTClientObject saying that they are using
urllib3and have a pointer to its documentation, meaning you could apparently make such a change at the level of the host OS RESTClientObjectaccepts kwargs related to SSL management, including the ability to switch off SSL verification, if that interests you. Theconfigurationvariable mentioned is passed directly from the ApiClient.__init__
这篇关于如何在Kubernetes Python客户端中指定ca_bundle的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
