Kubernetes python 客户端:身份验证问题 [英] Kubernetes python client: authentication issue
问题描述
我们使用 kubernetes python 客户端 (4.0.0) 结合谷歌的 kubernetes 引擎(master + nodepools 运行 k8s 1.8.4)来定期调度 kubernetes 上的工作负载.我们用来创建 pod、附加到日志并报告 pod 结束状态的脚本的简化版本如下所示:
We are using the kubernetes python client (4.0.0) in combination with google's kubernetes engine (master + nodepools run k8s 1.8.4) to periodically schedule workloads on kubernetes. The simplified version of the script we use to creates the pod, attach to the the logs and report the end status of the pod looks as follows:
config.load_kube_config(persist_config=False)
v1 = client.CoreV1Api()
v1.create_namespaced_pod(body=pod_specs_dict, namespace=args.namespace)
logging_response = v1.read_namespaced_pod_log(
name=pod_name,
namespace=args.namespace,
follow=True,
_preload_content=False
)
for line in logging_response:
line = line.rstrip()
logging.info(line)
status_response = v1.read_namespaced_pod_status(pod_name, namespace=args.namespace)
print("Pod ended in status: {}".format(status_response.status.phase))
一切正常,但我们遇到了一些身份验证问题.身份验证通过默认的 gcp auth-provider 进行,为此我通过在调度程序上手动运行 kubectl 容器集群 get-credentials 获得了初始访问令牌.在某些随机时间范围内,某些 API 调用会导致 API 服务器发出 401 响应.我的猜测是,只要访问令牌过期,就会发生这种情况,并且脚本会尝试获取新的访问令牌.然而,调度器上会同时运行多个脚本,导致多次获取新的 API 密钥,其中只有一个仍然有效.我尝试了多种方法来解决这个问题(使用 persist_config=True,重新加载配置后重试 401,...)但没有成功.由于我不完全了解 gcp 身份验证和 kubernetes python 客户端配置是如何工作的(而且两者的文档都相当稀缺),我有点不知所措.
Everything works pretty fine, however we are experiencing some authentication issues. Authentication happens through the default gcp auth-provider, for which I obtained the initial access token by running a kubectl container cluster get-credentials manually on the scheduler. At some random timeframes, some API calls result in a 401 response from the API server. My guess is that this happens whenever the access token is expired, and the script tries to obtain a new access token. However it happens that multiple scripts are running concurrently on the scheduler, resulting in obtaining a new API key multiple times of which only one is still valid. I tried out multiple ways to fix the issue (use persist_config=True, retry 401's after reloading the config,...) without any success. As I am not completely aware how the gcp authentication and the kubernetes python client config work (and docs for both are rather scarce), I am a bit left in the dark.
我们是否应该使用另一种身份验证方法而不是 gcp auth-provider?这是 kubernetes python 客户端中的错误吗?我们应该使用多个配置文件吗?
Should we use another authentication method instead of the gcp auth-provider? Is this a bug in the kubernetes python client? Should we use multiple config files?
推荐答案
最终我们通过使用承载令牌身份验证解决了这个问题,而不是依赖默认的 gcloud 身份验证方法.
In the end we have solved this by using bearer token authentication, instead of relying on the default gcloud authentication method.
以下是我为实现这一目标所做的步骤.
Here are the steps that I did to achieve this.
首先在所需的命名空间中创建一个服务帐户,方法是创建一个包含以下内容的文件.
First create a service account in the desired namespace, by creating a file with the following content.
apiVersion: v1
kind: ServiceAccount
metadata:
name: <name_of_service_account>
然后使用此文件创建服务帐户
Then use this file to create the service account
kubectl create -f <path_to_file> --namespace=<namespace_name>
每个服务帐户都有一个与之相关联的不记名令牌,可用于身份验证.这个不记名令牌作为秘密自动挂载到命名空间中.要找出此令牌是什么,请首先找到密钥的名称(格式为
Each service account has a bearer token linked to it, which can be used for authentication. This bearer token is automatically mounted as a secret into the namespace. To find out what this token is, first find the name of the secret (is of the form <service_account_name>-token-<random_string>) and then use that name to get to content.
# To search for out service account's token name
kubectl get secrets --namespace=<namespace_name>
# To find the token name
kubectl describe secret/<secret_name>
这之后你应该找到API服务器的ip地址,以及kubernetes集群的集群CA证书.这可以通过转到谷歌云控制台上的 kubernetes 引擎详细信息页面来完成.将证书内容复制到本地文件中.
After this you should find out the ip address of the API server, and the Cluster CA certificate of the kubernetes cluster. This can be done by going to the kubernetes engine detail page on google cloud console. Copy the content of the certificate into a local file.
您现在可以使用承载令牌通过 kubernetes python 客户端进行身份验证,如下所示:
You can now use the bearer token to authenticate via the kubernetes python client, as follows:
from kubernetes import client
configuration = client.Configuration()
configuration.api_key["authorization"] = '<bearer_token>'
configuration.api_key_prefix['authorization'] = 'Bearer'
configuration.host = 'https://<ip_of_api_server>'
configuration.ssl_ca_cert = '<path_to_cluster_ca_certificate>'
v1 = client.CoreV1Api(client.ApiClient(configuration))
这篇关于Kubernetes python 客户端:身份验证问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
