从C#Docker访问kubernetes服务 [英] Accessing kubernetes service from C# docker
问题描述
我正在尝试使用kuberentes服务中的C#docker访问Kubernetes服务.
I am trying to access the Kubernetes service using C# docker within kuberentes service.
我有一个python码头工人YAML文件,并希望通过c#Dotnet核心docker以编程方式使用相同的YAML创建Pod,该Pod运行int相同的python码头工人群集.我找到了适用于dotnet core的Kubernetes api.我为下面的列表容器创建了代码.
I have a python docker YAML file and want to create pod using the same YAML programmatically from c# Dotnet core docker that running int the same cluster of python docker. I found Kubernetes api for dotnet core.I created the code for list pods that is below.
using System;
using k8s;
namespace simple
{
internal class PodList
{
private static void Main(string[] args)
{
var config = KubernetesClientConfiguration.InClusterConfig();
IKubernetes client = new Kubernetes(config);
Console.WriteLine("Starting Request!");
var list = client.ListNamespacedPod("default");
foreach (var item in list.Items)
{
Console.WriteLine(item.Metadata.Name);
}
if (list.Items.Count == 0)
{
Console.WriteLine("Empty!");
}
}
}
}
禁止该代码获取错误(操作返回了无效的状态代码‘禁止’").代替使用 BuildConfigFromConfigFile 代码的 InClusterConfig 在本地环境中工作.我错过了什么吗?
this code getting error Forbidden ("Operation returned an invalid status code 'Forbidden'"). instead of InClusterConfig using BuildConfigFromConfigFile code is working in local environment.Is anythin I missed?
已编辑
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-serviceaccount
namespace: api
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: api
name: test-role
rules:
- apiGroups: ["","apps","batch"]
# "" indicates the core API group
resources: ["deployments", "namespaces","cronjobs"]
verbs: ["get", "list", "update", "patch","create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: test-binding
namespace: api
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: test-role
subjects:
- kind: ServiceAccount
name: test-serviceaccount
namespace: api
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "4"
creationTimestamp: "2019-07-04T16:05:43Z"
generation: 4
labels:
app: test-console
tier: middle-end
name: test-console
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 2
selector:
matchLabels:
app: test-console
tier: middle-end
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
creationTimestamp: "2019-07-04T16:05:43Z"
labels:
app: test-console
tier: middle-end
spec:
serviceAccountName: test-serviceaccount
containers:
- image: test.azurecr.io/tester:1.0.0
imagePullPolicy: Always
name: test-console
ports:
- containerPort: 80
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: pull
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
C# code
client.CreateNamespacedCronJob(jobmodel, "testnamesapce");
crone job
'apiVersion': 'batch/v1beta1',
'kind': 'CronJob',
'metadata': {
'creationTimestamp': '2020-08-04T06:29:19Z',
'name': 'forcaster-cron',
'namespace': 'testnamesapce'
},
推荐答案
InClusterConfig
使用部署Pod的名称空间的 default
服务帐户.默认情况下,该服务帐户将没有任何 RBAC 导致禁止
错误.
InClusterConfig
uses the default
service account of the namespace where you are deploying the pod. By default that service account will not have any RBAC which leads to Forbidden
error.
它在本地环境中工作的原因是因为它使用了 kubeconfig
文件中的凭据,大多数情况下,该凭据是具有对群集的根级别RBAC权限的管理员凭据.
The reason it works in local environment is because it uses credential from kubeconfig
file which most of the time is admin credential having root level RBAC permission to the cluster.
您需要定义一个 Role
,然后使用 RoleBinding
You need to define a Role
and attach that role to the service account using RoleBinding
因此,如果您将Pod部署在 default
名称空间中,则下面的RBAC应该可以工作.
So if you are deploying the pod in default
namespace then below RBAC should work.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: myrole
namespace: default
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: role-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: myrole
subjects:
- kind: ServiceAccount
name: default
namespace: default
在RBAC上方申请后,您可以使用以下命令检查服务帐户的权限
Once you apply above RBAC you can check permission of the service account using below command
kubectl auth can-i list pods --as=system:serviceaccount:default:default -n default
yes
这篇关于从C#Docker访问kubernetes服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!