如何使用k8s REST或fabric8 API对Google容器引擎kubernetes API服务器进行身份验证? [英] how to authenticate to google container engine kubernetes API server using either k8s REST or fabric8 API?
问题描述
我正在尝试编写一种服务,以在Kubernetes集群中生成基于容器的应用程序.我想对 以Google容器引擎为基准;但是,我很难弄清楚 了解如何使我的REST客户端通过k8s API服务器(主服务器)进行身份验证.
I'm trying to write a service that spawns container based applications within a Kubernetes cluster. I'd like to do some testing against Google Container Engine as a baseline; however, I am having trouble figuring out how to get my REST client to authenticate with the k8s API server (the master).
我在这里遇到了一个很好的提示: http://www.scriptscoop.net/t/9c6a16719a43/google-container-engine-rest-api-authorization.html
I came across a good hint here: http://www.scriptscoop.net/t/9c6a16719a43/google-container-engine-rest-api-authorization.html
作者说:我知道OAuth可以[针对Google容器引擎]工作",而且听起来不错.因此,我正在考虑尝试使用oauth(我猜是oauth2.)但是,反复试验比通过使用一些可对Google Container Engine起作用的有效代码进行改编要花更多的时间. k8s REST或fabric8 API.
The author says "I know that OAuth works [against Google Container Engine]", and they sound knowledgable. So, I'm thinking of trying oauth (I guess oauth2.) However, trial and error will take me a lot longer than adapting from some working code that works against Google Container Engine via either the k8s REST or fabric8 API.
如果任何人都可以给我提供此类代码的指针,甚至是对此类代码的讨论,我将非常感谢!谢谢/chris
If anyone can give me a pointer to such code, or even discussions of such code, I'd appreciate it very much ! thanks /chris
推荐答案
Kubernetes apiserver尚不能与OAuth配合使用,因此您将需要使用一种受支持的身份验证机制(http基本身份验证,承载令牌身份验证或客户端证书).
The Kubernetes apiserver doesn't (yet) work with OAuth, so you will need to use one of the supported authentication mechanisms (http basic auth, bearer token auth, or client certificates) when making API requests.
每个Pod都有一个自动应用的服务帐户,该帐户允许它使用承载令牌访问apiserver.请参阅我如何从pod容器中访问Kubernetes api?.
Every pod has a service account automatically applied that allows it to access the apiserver using a bearer token. See How do I access the Kubernetes api from within a pod container?.
使用服务帐户中的凭据,您可以部署将在系统中创建新对象的应用程序(pod,复制控制器等),以生成基于容器的应用程序.
With the credentials from the service account, you can deploy an application that will create new objects in the system (pods, replication controllers, etc) to spawn container based applications.
这篇关于如何使用k8s REST或fabric8 API对Google容器引擎kubernetes API服务器进行身份验证?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
