支持的客户端库
可参考:https://kubernetes.io/zh-cn/docs/reference/using-api/client-libraries/
身份验证插件
在 K8S API 客户端库golang client-go 中,Auth plugins(身份验证插件)是用于处理 Kubernetes 集群中用户身份验证的组件。一般来说,客户端的配置信息通常从 kubeconfig 文件中加载,包括服务器和凭证的配置信息。有一些插件可用于从外部来源获取凭证,但默认情况下不会加载这些插件。如果要在程序中启用这些插件,需要在主包中导入它们。
可以加载所有身份验证插件:
import _ "k8s.io/client-go/plugin/pkg/client/auth"
或者您可以加载特定的身份验证插件:
import _ "k8s.io/client-go/plugin/pkg/client/auth/azure" import _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" import _ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
❝我这里只需让客户端的配置信息从 kubeconfig 文件中加载即可,所以下一步是去master将kubeconfig导出来,发送到我的开发机。
❞
关于身份验证方式
身份验证方式有两种:
- 在群集中进行身份验证:配置客户端在 Kubernetes 集群内运行时。
- 在群集外进行身份验证:配置客户端以从外部访问 Kubernetes 集群。
具体得看你的客户端库运行在k8s集群之外还是k8s集群之内。我的开发机是在k8s集群之外(也就是我在上面写好代码并测试,代码是从外部连接到k8s集群),所以我只需要在群集外进行身份验证即可。对于客户端库来说,这两种身份验证方式的配置是稍有区别的,具体可参考官方文档:https://github.com/kubernetes/client-go/tree/master/examples
在群集外进行身份验证
- 查看普通用户tantianran的证书是否过期(如果证书没有过期,可跳过这个步骤)
❝在上篇中,提交CSR获取签名后的证书过期的时间是24小时,已经过期了,难怪我把config搬到开发机器上去连接k8s提示登录失败呢。今天我已经更新了证书让它100天后再过期。操作办法很简单,提交之前,将过期时间(字段时 expirationSeconds)加大一点,比如我加到8640000秒(100天),改好后重新提交给K8S集群中的证书签名机构重新签名即可。接着再重新审批、再导出证书(也就是重新得到tantianran.crt)。然后更新kubeconfig(重新执行之前的命令),再更新上下文(重新执行之前的命令)。
❞
更新前的:
[root@k8s-a-master api-user]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION tantianran 58s kubernetes.io/kube-apiserver-client kubernetes-admin 24h Pending
以下是我更新后的csr:
[root@k8s-a-master api-user]# kubectl get csr NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION tantianran 30m kubernetes.io/kube-apiserver-client kubernetes-admin 100d Approved,Issued
- 导出kubeconfig
kubectl config view --raw > kubeconfig-tantianran
- 删除kubernetes-admin的配置
我打算在开发机仅仅使用普通用户tantianran来连接k8s,所以删除掉和kubernetes-admin相关的敏感信息,生产环境中为了安全也是要这么做。以下是删除后的:
apiVersion: v1 clusters: - cluster: certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJek1ETXpNVEUwTXpFMU1Gb1hEVE16TURNeU9ERTBNekUxTUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS3hCCnZSQnI2dWY2c3prZ2RrY0E2V1lpR1dWczJBcmZDOWowS2x5Q2hqaVVrZTc5NnJpYnBJQTdTSEUyejNZMXRvVUQKYXEwZjFzbFA1Z1o1bldBWTBuYjhQUVF2UDB3aWpHN0ZOMVF3Ym1XeFVKT2k0cVFJSnlLajZKQmttNkhVOTdRMAorYjByN2FnelJCclRBTzRneWJ2R0l0eWM2OFNMNVhaYVlQVG8xK2hBREN1Vm1SbXFUZTR6ZzFTSjNxeFdsQjUvCitSUVFxeTk0ZVZvR2ZiMzN4T0xJcldVVkF4R2ZxVHlNRTZWQ3ltcitVYzJxMTdRNS9SVkdxN3U4UzBKMCs5SG4KN0Rvb1FVRXhQYXM1YmVrZ2tlMlVsRE96UFNaL2xYbnUzcEYzNklKOVhyQzdMRG9sbUV6eTJTRmV6VysrSWJIYwpQT1FWZGZyL1VFVkhSTTFlUEVFQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNd3pnK2pZaWN1b2VVVFdRbW8zU2ZNaFNCY09NQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRkN5cThUdWRGRytXTjU0Sm5LTworcW1JZ29VbCtzNGlwUVE0Z21DSUF6QzcyRkMzZStZNlhtd2dXanhZOVhlUlIyZ0RjQkswUmNaaDAwZzdGd09VCkc2VkFQNnBRTnd3cTFONEt5dmFkVFdxSlNEZkNCc0dvK0hTMU1tbVdjSUtCUW13UXMwSEhrbm8zWnFCYURGcmsKY2VuY2N0V2UrZ25uNkptSHdqdTVOdDBOdzNKWS9OVndLTnBnNXhoNm1QVFFpQ2ZjOWk1emhiZzRDVFROVURESApOMlhWZkVnZ2l2STZ0ZitMeURjaXRqc1A4Q0JNYWhIUE9lcEZtUmRsUmNQSWg3MXlESmJpREtHYnhPTXAzN0N5CnpMak5SbEsrcnozMktVdXJaRmNkMk12aEpNd09laTVwa2IvVHVreTdDM0lBT0JsUk05QzhxSjVOVGwrVTVJSlMKYnkwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== server: https://192.168.11.10:6443 name: kubernetes contexts: - context: cluster: kubernetes namespace: rook-ceph user: tantianran name: tantianran current-context: tantianran # 当前上下文 kind: Config preferences: {} users: - name: tantianran user: client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREekNDQWZlZ0F3SUJBZ0lRZCttazJoeVAxODBHNFVZMkRrcHFwVEFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl6TURReU1EQTRNRFF5TWxvWERUSXpNRGN5T1RBNApNRFF5TWxvd0tqRVRNQkVHQTFVRUNoTUtibTlpYkdGdFpXOXdjekVUTUJFR0ExVUVBeE1LZEdGdWRHbGhibkpoCmJqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1Jc0M0R2JSQ0NJYTUvZEt6elgKc3VtUXVxay9qclZRemJuSmpiVkY5ZVV6bU1OR3drTi9aanRrVU5ZTUNRMkRpY1JIRUJzTFVMTTJIWFN2Rm1XWQpUUGN6OEJWOHgvR214YXlWcVNmQTU4aDNtdjJERjhZdFB2aFlVc3hmUVZpUUxFRGFwRXpoV29TcFU3cHBGMnhhCnZjeG9GbDd3emRQWE9YMnhDQXNSQ3pINjB6cG9zSEJiNHBaSGJjYjNyQ1hjdHBnVlFDeklubWRGMWs0cmdweDkKSGsrek4rNzQ1R04vS1dMMWdLcFNhN2YxemdHdXVaT2FrZEhKaldGdCtWYzNFSG90SFQ3V3g1VTFrNXhmem5mSQo2VlkvN0NTbzR1K2hhSTg2RHBRaXZmdk1OM3ZGeURwOVR2UWVsOFJpZlFiMkxaMnlUYzdEL3hHQUJZRmFDbk5SCjl3a0NBd0VBQWFOR01FUXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWYKQmdOVkhTTUVHREFXZ0JUTU00UG8ySW5McUhsRTFrSnFOMG56SVVnWERqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBZk5Qakc1M29UWUYrMU9mYkJDQzFHekNST092aDIzNFhvalhnK2hBbDRzdktDdmhodVllNW1kdlUxSm8wCklqZUp2WG9RQmhndWtGNFFxNnpHWU95d1lOWjVMK3AzTWRQU1lYY0ZPbS9iOWluY0l6TVhLTjI2WmVBNXpwaWgKdTUxNWJEVzJ3bzR2UDdEL01kUW5wTWM3em1YQVhhem5BVkRFZEg4WGdpeFlGZ0JDQUw3UTFrT25QMkxtR1RjRwpJMUhqRTFrZFMwQ0ZrMjFrTXYyN0JBVzV1ai9pMzA1eFMrQVRITWtoSUw1MjZFYVFmb3FiV3lnVDBjRS92UUxVCitMMG54R3MxWktIMlFRN3JyMTEwYkNZcnYyaW13UDljdTJWY2ZEcXlzQnZrZEpHd25idHFydjArT21aQzV3emcKOTFyMGpaQXBNck9ZUnZUMVNkYmJPeFhIK0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBd2l3TGdadEVJSWhybjkwclBOZXk2WkM2cVQrT3RWRE51Y21OdFVYMTVUT1l3MGJDClEzOW1PMlJRMWd3SkRZT0p4RWNRR3d0UXN6WWRkSzhXWlpoTTl6UHdGWHpIOGFiRnJKV3BKOERueUhlYS9ZTVgKeGkwKytGaFN6RjlCV0pBc1FOcWtUT0ZhaEtsVHVta1hiRnE5ekdnV1h2RE4wOWM1ZmJFSUN4RUxNZnJUT21pdwpjRnZpbGtkdHh2ZXNKZHkybUJWQUxNaWVaMFhXVGl1Q25IMGVUN00zN3Zqa1kzOHBZdldBcWxKcnQvWE9BYTY1Cms1cVIwY21OWVczNVZ6Y1FlaTBkUHRiSGxUV1RuRi9PZDhqcFZqL3NKS2ppNzZGb2p6b09sQ0s5Kzh3M2U4WEkKT24xTzlCNlh4R0o5QnZZdG5iSk56c1AvRVlBRmdWb0tjMUgzQ1FJREFRQUJBb0lCQUd6cU9kWU1XczJJMkIzRworSTdiU3Y4YWNLbW8vZ3FVZGFGRi9sZjFFelhxbUVESSt3VFRmR3ZLSEZIRVZIdWhFZkRvRDQrcjdDdHFLbUdlCktJajZRZ25UdDFMR09IMURGOVJ6Nm50akNHQjVQcFgvSjZIQkZYWkdUTU5ZbHhYdllQTkw4U2N5clF5RzBuRlkKcTR2YTVtVzI2UDErUTJZVmJxa2pXU2lqK2N5aE10MDNYTk00S3RnTEZ6QklHaXEvTy9XSzQvaTkxL0x0dFJMdgpXTExyZVd0TENGSnJvOXpwblRkVnMyQU5vQ1FTVUlZNktMcXRCTE1ZNTVVcjI0bDhkSjQwMm1sMFhxYVgrdTlJCjZxWVBjYkhqeTd1K0pNVFovazJ5a2VEcGN3OXJwOEVxQmhoY1U5U2VWYnZCTk45d3FOTk1mSWl1SE91eng1N2QKaEFvc2pJRUNnWUVBOXJTci8zR3FPK3diVGE0aElpVTJwSXk5ZXpnNEpFeWkrbytvNHpYOGc0dGsrNGZxM2NDQgo2ZmhEWXI5UUQ3Sm1ZaEhDbDRsWGI4d1VxcTI3OHlybVhmK3hnZVk3aTl5NlJOaU1MMXZTYTlON1FScGJXelZlCkgvU2VEQ0ZJeXVoTEJaT2ZXUW5nSG1xdU9vODR0N0R4N2hPbDBWSDRuS2tUVEFIeEhJN1JMRmtDZ1lFQXlYeTMKblVvN1FCWENGWjBmVHdpRDMzQnVrTXFTeFM3M1dDdXppRjV4cE12a28xVTA0ZTBVODdMWmJodnFySU02UnQxVQp1eWdUa3VSMDZ0bGpVQ3RNYlhZcGROSFY0N1lLTjVubDVTL29KWGJBaU1EU0U5a3B6djdYZS9jaXB5RDN4bW5PClBCWUxOZ0VBUWJvOG5pVkhqVzVJRWhJb29IcDc4OURkbmZoVkNqRUNnWUFXRWcyOUdZY1lPMFFxQytUczhCVlcKWFR6cVZCbzVyUjE3ZXZTcDl2OXpLVHBNZ2xsUm8xSThBempNRWI5dzJBM3V3aFg5aG96cTlILzQwUGdhaGdENwo4YzhJaHZkV3lOVmxLVlpKT2xhMXpNS2ZEV09VNGs1Y1gzN3dLTjRoUU96TlArcW1oWXFtVGZidVNEZlR2eUcxCm9jNVl6cE9HT0Y0QWs3L2xSU1dUYVFLQmdBaFU1ZXJWSlBvVGJFRWtqQ1RpZjBHQURySmlEZ3VsVTRrTDFaS3cKQlJjQmIyVHBveFFzajQ4OE9BMTdqZ3F3S25xL3NEOUUrdm82QkRPcDVaZHRFdTM3MHQ4SHhrWnlRcDNsK1VHdQo1M1NWSW9VRkpDcTU4aWFqRnhvRE1DV2xFVm5kQ2pBbDRUVE1lY3c5L1QrMDN1NlVQdHF3Y1ltaFJ2cmdDaW44CkdOZ2hBb0dBVzNub3NmOENPWUJFM0x0WXkwa0t0OTkyWmdIY2lPMWEvZzNMZkN4VnovenByWHdVVkJpRFRzZFkKK3BXZVV0aTJEb3d0cnZpVENpSHFCdE5DcDVpK3krYTM1ODR5c0xJYm9vKzh5eWFJenVVaERiNE4zaVpUU3J1SQpib0h3LzhtWTlCZmFzT0hLVnhlSnl5RzQzV3NoN2NUK2VFcGRBbkxsSndQSnhCTmdvYmc9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
- scp到我的开发机
scp kubeconfig-tantianran 192.168.11.254:~/.kube/config
❝注意:如果想在开发机操作k8s集群,可以去官网或者在master节点上把kubectl二进制工具也scp到开发机器上即可,如果只是通过客户端库来操作k8s,kubectl可以不用。还有,记得在家目录创建.kube目录,文件名改为config,这样kubectl才会自动读取到。
❞
如果把config名字改为别的,比如改为aaa,看看效果:
[root@workhost .kube]# mv config aaa [root@workhost .kube]# kubectl get pod # 读取不到config,因为kubectl默认就是读取config The connection to the server localhost:8080 was refused - did you specify the right host or port? # 当然可以使用--kubeconfig选项指定kubeconfig [root@workhost .kube]# kubectl --kubeconfig=./aaa get pod NAME READY STATUS RESTARTS AGE csi-cephfsplugin-2pv6l 2/2 Running 30 (7h51m ago) 17d csi-cephfsplugin-7c9rp 2/2 Running 31 (7h51m ago) 17d csi-cephfsplugin-7rvl4 2/2 Running 31 (7h51m ago) 17d csi-cephfsplugin-8slqr 2/2 Running 30 (7h51m ago) 17d
- 来验证一下普通用户的权限
[root@workhost .kube]# kubectl get pod NAME READY STATUS RESTARTS AGE csi-cephfsplugin-2pv6l 2/2 Running 30 (7h52m ago) 17d csi-cephfsplugin-7c9rp 2/2 Running 31 (7h52m ago) 17d ... [root@workhost .kube]# kubectl get ns Error from server (Forbidden): namespaces is forbidden: User "tantianran" cannot list resource "namespaces" in API group "" at the cluster scope [root@workhost .kube]# kubectl get pod -n default Error from server (Forbidden): pods is forbidden: User "tantianran" cannot list resource "pods" in API group "" in the namespace "default" [root@workhost .kube]# kubectl get pod -n rook-ceph NAME READY STATUS RESTARTS AGE csi-cephfsplugin-2pv6l 2/2 Running 30 (7h53m ago) 17d csi-cephfsplugin-7c9rp 2/2 Running 31 (7h53m ago) 17d ... [root@workhost .kube]# kubectl get deployment Error from server (Forbidden): deployments.apps is forbidden: User "tantianran" cannot list resource "deployments" in API group "apps" in the namespace "rook-ceph" [root@workhost .kube]# kubectl get svc Error from server (Forbidden): services is forbidden: User "tantianran" cannot list resource "services" in API group "" in the namespace "rook-ceph"
❝经过验证,tantianran这个普通账户的权限确实很低,具体我也不再解释了,相信大家都懂的。
❞
并且,我要问大家几个简单的问题:
- 为啥没有指定命名空间也能查看到pod?
- 为啥指定default命名空间提示error?
- 为啥查看deployment和svc提示error?
请把您的答案在评论区告诉我,谢谢大家。
开始写代码
golang
更多示例请参考:https://github.com/kubernetes/client-go/tree/master/examples
- 安装客户端库
# 首次先装这个 go get k8s.io/client-go@latest # 后面装这几个 go get k8s.io/apimachinery/pkg/apis/meta/v1 go get k8s.io/client-go/kubernetes go get k8s.io/client-go/tools/clientcmd
- 写代码
package main import ( "context" "fmt" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/clientcmd" ) func main() { // 在 kubeconfig 中使用当前上下文 // path-to-kubeconfig -- 例如 /root/.kube/config config, _ := clientcmd.BuildConfigFromFlags("", "/root/.kube/config") // 创建 clientset clientset, _ := kubernetes.NewForConfig(config) // 访问 API 以列出 Pod pods, _ := clientset.CoreV1().Pods("rook-ceph").List(context.TODO(), v1.ListOptions{}) for _, pod := range pods.Items { fmt.Printf("命名空间名称:%s POD名称:%s\n", pod.Namespace, pod.Name) } fmt.Printf("这个命名空间下有 %d 个POD\n", len(pods.Items)) }
输出:
[root@workhost k8s]# go run main.go 命名空间名称:rook-ceph POD名称:csi-cephfsplugin-2pv6l 命名空间名称:rook-ceph POD名称:csi-cephfsplugin-7c9rp 命名空间名称:rook-ceph POD名称:csi-cephfsplugin-7rvl4 命名空间名称:rook-ceph POD名称:csi-cephfsplugin-8slqr 命名空间名称:rook-ceph POD名称:csi-cephfsplugin-9mkkx ... 这个命名空间下有 61 个POD
❝这个例子是k8s官方文档里的一个例子,链接:https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/access-cluster-api/。更多例子可参考:https://github.com/kubernetes/client-go/tree/master/examples。
❞ ❝当然,在我看来,例子它只是例子,最重要的是要掌握它的套路。那么前提是你得有一定开发能力,懂golang或者python或java等等。当然了,运维工程师我建议是要懂golang或者python。
❞
Python
请参考:https://github.com/kubernetes-client/python/tree/master/examples
- 安装相关库
pip install pick pip install kubernetes
- 写代码
from pick import pick from kubernetes import client, config from kubernetes.client import configuration def main(): config.load_kube_config(config_file="/root/.kube/config", context="tantianran") v1 = client.CoreV1Api() ret = v1.list_namespaced_pod(namespace="rook-ceph") for item in ret.items: print( "%s\t%s\t%s" % (item.status.pod_ip, item.metadata.namespace, item.metadata.name)) if __name__ == '__main__': main()
输出:
[root@workhost k8s]# python main.py 192.168.11.17 rook-ceph csi-cephfsplugin-2pv6l 192.168.11.18 rook-ceph csi-cephfsplugin-7c9rp 192.168.11.11 rook-ceph csi-cephfsplugin-7rvl4 192.168.11.19 rook-ceph csi-cephfsplugin-8slqr 192.168.11.15 rook-ceph csi-cephfsplugin-9mkkx 192.168.11.20 rook-ceph csi-cephfsplugin-css2r 192.168.11.12 rook-ceph csi-cephfsplugin-dblnm 192.168.11.16 rook-ceph csi-cephfsplugin-nsbsp 192.168.11.14 rook-ceph csi-cephfsplugin-p79zj 192.168.11.13 rook-ceph csi-cephfsplugin-phw2t
