无法从Kubernetes python客户端连接GKE自动驾驶集群 [英] Unable to connect GKE autopilot cluster from kubernetes python client
本文介绍了无法从Kubernetes python客户端连接GKE自动驾驶集群的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我已在GKE上创建了自动驾驶群集
连接和管理它我可以获取集群的kubeconfig
我能够在我的本地系统上使用kubectl使用命令
访问集群gCloud容器集群获取凭据
当我尝试连接Kubernetes的python-客户端-库时,出现以下错误
File "lib/python3.7/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='xxx.xx.xxx.xxx', port=443): Max
retries exceeded with url: /apis/extensions/v1beta1/namespaces/default/ingresses (Caused by
SSLError(SSLError(136, '[X509] no certificate or crl found (_ssl.c:4140)')))
以下是我使用的代码
os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "863924b908c7.json"
credentials, project = google.auth.default(
scopes=['https://www.googleapis.com/auth/cloud-platform', ])
credentials.refresh(google.auth.transport.requests.Request())
cluster_manager = ClusterManagerClient(credentials=credentials)
# cluster = cluster_manager.get_cluster(project)
config.load_kube_config('config.yaml')
推荐答案
我是这么想的。我认为这是一个很好的解决方案,因为它可以防止中间人攻击(使用SSL),而不像自然环境中的其他蟒蛇代码片段。
from google.cloud.container_v1 import ClusterManagerClient
from kubernetes import client
from tempfile import NamedTemporaryFile
import base64
import google.auth
credentials, project = google.auth.default(scopes=['https://www.googleapis.com/auth/cloud-platform',])
credentials.refresh(google.auth.transport.requests.Request())
cluster_manager = ClusterManagerClient(credentials=credentials)
cluster = cluster_manager.get_cluster(name=f"projects/{gcp_project_id}/locations/{cluster_zone_or_region}/clusters/{cluster_id}")
with NamedTemporaryFile(delete=False) as ca_cert:
ca_cert.write(base64.b64decode(cluster.master_auth.cluster_ca_certificate))
config = client.Configuration()
config.host = f'https://{cluster.endpoint}:443'
config.verify_ssl = True
config.api_key = {"authorization": "Bearer " + credentials.token}
config.username = credentials._service_account_email
config.ssl_ca_cert = ca_cert.name
client.Configuration.set_default(config)
# make calls with client
在GKE上,SSL验证自动在IP上工作。如果您所在的环境由于某种原因不起作用,您可以将IP绑定到主机名列表:
from python_hosts.hosts import (Hosts, HostsEntry) hosts = Hosts() hosts.add([HostsEntry(entry_type='ipv4', address=cluster.endpoint, names=['kubernetes'])]) hosts.write() config.host = "https://kubernetes"
这篇关于无法从Kubernetes python客户端连接GKE自动驾驶集群的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
