AWS EKS-从Pod内部对Kubernetes python lib进行身份验证 [英] AWS EKS - Authenticate Kubernetes python lib from inside a pod

问题描述

我想从正在运行的Pod内部连接并调用Kubernetes REST API，有问题的Kubernetes是使用IAM身份验证的AWS EKS集群.所有这些都使用Kubernetes Python库.

I want to connect to and call Kubernetes REST APIs from inside a running pod, the Kubernetes in question is an AWS EKS cluster using IAM authentication. All of this using Kubernetes Python lib.

从我的python file内部:

from kubernetes import client, config

config.load_incluster_config()
v1 = client.CoreV1Api()
ret = v1.list_pod_for_all_namespaces(watch=False)

上面的命令抛出403错误，我认为这是由于AWS EKS使用的身份验证机制不同.

The above command throws a 403 error, This I believe is due to the different auth mechanism that AWS EKS uses.

ApiToken = 'eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.xxx.yyy'
    configuration = client.Configuration()
    configuration.host = 'https://abc.sk1.us-east-1.eks.amazonaws.com'
    configuration.verify_ssl = False
    configuration.debug = True
    configuration.api_key = {"authorization": "Bearer " + ApiToken}
    client.Configuration.set_default(configuration)

尽管上述方法可行，但我必须对通过kubectl在本地生成的令牌进行硬编码，并将其检入代码中，这是安全隐患.

While the above works, I have to hardcode a token that I generate locally via kubectl and check it into the code which is a security risk.

是否存在使用AWS EKS对Kubernetes python库进行身份验证的更合适的方法?

Is there a more proper way to authenticate the Kubernetes python lib with AWS EKS?

推荐答案

您可以使用以下方法获取令牌.假设您已经成功安装并配置了 aws -iam-authenticator 在您的pod/服务器/笔记本电脑上.

You can use the following method to get the token. This assumes that you have successfully installed and configured aws-iam-authenticator on your pod/server/laptop.

def get_token(cluster_name):
    args = ("/usr/local/bin/aws-iam-authenticator", "token", "-i", cluster_name, "--token-only")
    popen = subprocess.Popen(args, stdout=subprocess.PIPE)
    popen.wait()
    return popen.stdout.read().rstrip()

api_token = get_token("<cluster_name>")
configuration = client.Configuration()
configuration.host = '<api_endpoint>'
configuration.verify_ssl = False
configuration.debug = True
configuration.api_key['authorization'] = "Bearer " + api_token
configuration.assert_hostname = True
configuration.verify_ssl = False
client.Configuration.set_default(configuration)

v1 = client.CoreV1Api()
ret = v1.list_pod_for_all_namespaces(watch=False)
print ret

有一个kubernetes-client/python-base的PR，增加了对exec插件的支持，

There is an PR for kubernetes-client/python-base that adds support for exec plugins, Attempt to implement exec-plugins support in kubeconfig.

这篇关于AWS EKS-从Pod内部对Kubernetes python lib进行身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！