反对的客户端库
可参考:https://kubernetes.io/zh-cn/docs/reference/using-api/client-l…
身份验证插件
在 K8S API 客户端库 golang client-go 中,Auth plugins(身份验证插件)是用于解决 Kubernetes 集群中用户身份验证的组件。一般来说,客户端的配置信息通常从 kubeconfig 文件中加载,包含服务器和凭证的配置信息。有一些插件可用于从内部起源获取凭证,但默认状况下不会加载这些插件。如果要在程序中启用这些插件,须要在主包中导入它们。
能够加载所有身份验证插件:
import _ "k8s.io/client-go/plugin/pkg/client/auth"
或者您能够加载特定的身份验证插件:
import _ "k8s.io/client-go/plugin/pkg/client/auth/azure"
import _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
import _ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
❝
我这里只需让客户端的配置信息从 kubeconfig 文件中加载即可,所以下一步是去 master 将 kubeconfig 导出来,发送到我的开发机。
❞
对于身份验证形式
身份验证形式有两种:
- 在群集中进行身份验证:配置客户端在 Kubernetes 集群内运行时。
- 在群集外进行身份验证:配置客户端以从内部拜访 Kubernetes 集群。
具体得看你的客户端库运行在 k8s 集群之外还是 k8s 集群之内。我的开发机是在 k8s 集群之外(也就是我在下面写好代码并测试,代码是从内部连贯到 k8s 集群),所以我只须要在群集外进行身份验证即可。对于客户端库来说,这两种身份验证形式的配置是稍有区别的,具体可参考官网文档:https://github.com/kubernetes/client-go/tree/master/examples
在群集外进行身份验证
- 查看普通用户 tantianran 的证书是否过期(如果证书没有过期,可跳过这个步骤)
❝
在上篇中,提交 CSR 获取签名后的证书过期的工夫是 24 小时,曾经过期了,难怪我把 config 搬到开发机器下来连贯 k8s 提醒登录失败呢。明天我曾经更新了证书让它 100 天后再过期。操作方法很简略,提交之前,将过期工夫(字段时 expirationSeconds)加大一点,比方我加到 8640000 秒(100 天),改好后从新提交给 K8S 集群中的证书签名机构从新签名即可。接着再从新审批、再导出证书(也就是重新得到 tantianran.crt)。而后更新 kubeconfig(从新执行之前的命令),再更新上下文(从新执行之前的命令)。
❞
更新前的:
[root@k8s-a-master api-user]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
tantianran 58s kubernetes.io/kube-apiserver-client kubernetes-admin 24h Pending
以下是我更新后的 csr:
[root@k8s-a-master api-user]# kubectl get csr
NAME AGE SIGNERNAME REQUESTOR REQUESTEDDURATION CONDITION
tantianran 30m kubernetes.io/kube-apiserver-client kubernetes-admin 100d Approved,Issued
- 导出 kubeconfig
kubectl config view --raw > kubeconfig-tantianran
- 删除 kubernetes-admin 的配置
我打算在开发机仅仅应用普通用户 tantianran 来连贯 k8s,所以删除掉和 kubernetes-admin 相干的敏感信息,生产环境中为了平安也是要这么做。以下是删除后的:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJek1ETXpNVEUwTXpFMU1Gb1hEVE16TURNeU9ERTBNekUxTUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS3hCCnZSQnI2dWY2c3prZ2RrY0E2V1lpR1dWczJBcmZDOWowS2x5Q2hqaVVrZTc5NnJpYnBJQTdTSEUyejNZMXRvVUQKYXEwZjFzbFA1Z1o1bldBWTBuYjhQUVF2UDB3aWpHN0ZOMVF3Ym1XeFVKT2k0cVFJSnlLajZKQmttNkhVOTdRMAorYjByN2FnelJCclRBTzRneWJ2R0l0eWM2OFNMNVhaYVlQVG8xK2hBREN1Vm1SbXFUZTR6ZzFTSjNxeFdsQjUvCitSUVFxeTk0ZVZvR2ZiMzN4T0xJcldVVkF4R2ZxVHlNRTZWQ3ltcitVYzJxMTdRNS9SVkdxN3U4UzBKMCs5SG4KN0Rvb1FVRXhQYXM1YmVrZ2tlMlVsRE96UFNaL2xYbnUzcEYzNklKOVhyQzdMRG9sbUV6eTJTRmV6VysrSWJIYwpQT1FWZGZyL1VFVkhSTTFlUEVFQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZNd3pnK2pZaWN1b2VVVFdRbW8zU2ZNaFNCY09NQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBRkN5cThUdWRGRytXTjU0Sm5LTworcW1JZ29VbCtzNGlwUVE0Z21DSUF6QzcyRkMzZStZNlhtd2dXanhZOVhlUlIyZ0RjQkswUmNaaDAwZzdGd09VCkc2VkFQNnBRTnd3cTFONEt5dmFkVFdxSlNEZkNCc0dvK0hTMU1tbVdjSUtCUW13UXMwSEhrbm8zWnFCYURGcmsKY2VuY2N0V2UrZ25uNkptSHdqdTVOdDBOdzNKWS9OVndLTnBnNXhoNm1QVFFpQ2ZjOWk1emhiZzRDVFROVURESApOMlhWZkVnZ2l2STZ0ZitMeURjaXRqc1A4Q0JNYWhIUE9lcEZtUmRsUmNQSWg3MXlESmJpREtHYnhPTXAzN0N5CnpMak5SbEsrcnozMktVdXJaRmNkMk12aEpNd09laTVwa2IvVHVreTdDM0lBT0JsUk05QzhxSjVOVGwrVTVJSlMKYnkwPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.11.10:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
namespace: rook-ceph
user: tantianran
name: tantianran
current-context: tantianran # 以后上下文
kind: Config
preferences: {}
users:
- name: tantianran
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUREekNDQWZlZ0F3SUJBZ0lRZCttazJoeVAxODBHNFVZMkRrcHFwVEFOQmdrcWhraUc5dzBCQVFzRkFEQVYKTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1CNFhEVEl6TURReU1EQTRNRFF5TWxvWERUSXpNRGN5T1RBNApNRFF5TWxvd0tqRVRNQkVHQTFVRUNoTUtibTlpYkdGdFpXOXdjekVUTUJFR0ExVUVBeE1LZEdGdWRHbGhibkpoCmJqQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU1Jc0M0R2JSQ0NJYTUvZEt6elgKc3VtUXVxay9qclZRemJuSmpiVkY5ZVV6bU1OR3drTi9aanRrVU5ZTUNRMkRpY1JIRUJzTFVMTTJIWFN2Rm1XWQpUUGN6OEJWOHgvR214YXlWcVNmQTU4aDNtdjJERjhZdFB2aFlVc3hmUVZpUUxFRGFwRXpoV29TcFU3cHBGMnhhCnZjeG9GbDd3emRQWE9YMnhDQXNSQ3pINjB6cG9zSEJiNHBaSGJjYjNyQ1hjdHBnVlFDeklubWRGMWs0cmdweDkKSGsrek4rNzQ1R04vS1dMMWdLcFNhN2YxemdHdXVaT2FrZEhKaldGdCtWYzNFSG90SFQ3V3g1VTFrNXhmem5mSQo2VlkvN0NTbzR1K2hhSTg2RHBRaXZmdk1OM3ZGeURwOVR2UWVsOFJpZlFiMkxaMnlUYzdEL3hHQUJZRmFDbk5SCjl3a0NBd0VBQWFOR01FUXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWYKQmdOVkhTTUVHREFXZ0JUTU00UG8ySW5McUhsRTFrSnFOMG56SVVnWERqQU5CZ2txaGtpRzl3MEJBUXNGQUFPQwpBUUVBZk5Qakc1M29UWUYrMU9mYkJDQzFHekNST092aDIzNFhvalhnK2hBbDRzdktDdmhodVllNW1kdlUxSm8wCklqZUp2WG9RQmhndWtGNFFxNnpHWU95d1lOWjVMK3AzTWRQU1lYY0ZPbS9iOWluY0l6TVhLTjI2WmVBNXpwaWgKdTUxNWJEVzJ3bzR2UDdEL01kUW5wTWM3em1YQVhhem5BVkRFZEg4WGdpeFlGZ0JDQUw3UTFrT25QMkxtR1RjRwpJMUhqRTFrZFMwQ0ZrMjFrTXYyN0JBVzV1ai9pMzA1eFMrQVRITWtoSUw1MjZFYVFmb3FiV3lnVDBjRS92UUxVCitMMG54R3MxWktIMlFRN3JyMTEwYkNZcnYyaW13UDljdTJWY2ZEcXlzQnZrZEpHd25idHFydjArT21aQzV3emcKOTFyMGpaQXBNck9ZUnZUMVNkYmJPeFhIK0E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb2dJQkFBS0NBUUVBd2l3TGdadEVJSWhybjkwclBOZXk2WkM2cVQrT3RWRE51Y21OdFVYMTVUT1l3MGJDClEzOW1PMlJRMWd3SkRZT0p4RWNRR3d0UXN6WWRkSzhXWlpoTTl6UHdGWHpIOGFiRnJKV3BKOERueUhlYS9ZTVgKeGkwKytGaFN6RjlCV0pBc1FOcWtUT0ZhaEtsVHVta1hiRnE5ekdnV1h2RE4wOWM1ZmJFSUN4RUxNZnJUT21pdwpjRnZpbGtkdHh2ZXNKZHkybUJWQUxNaWVaMFhXVGl1Q25IMGVUN00zN3Zqa1kzOHBZdldBcWxKcnQvWE9BYTY1Cms1cVIwY21OWVczNVZ6Y1FlaTBkUHRiSGxUV1RuRi9PZDhqcFZqL3NKS2ppNzZGb2p6b09sQ0s5Kzh3M2U4WEkKT24xTzlCNlh4R0o5QnZZdG5iSk56c1AvRVlBRmdWb0tjMUgzQ1FJREFRQUJBb0lCQUd6cU9kWU1XczJJMkIzRworSTdiU3Y4YWNLbW8vZ3FVZGFGRi9sZjFFelhxbUVESSt3VFRmR3ZLSEZIRVZIdWhFZkRvRDQrcjdDdHFLbUdlCktJajZRZ25UdDFMR09IMURGOVJ6Nm50akNHQjVQcFgvSjZIQkZYWkdUTU5ZbHhYdllQTkw4U2N5clF5RzBuRlkKcTR2YTVtVzI2UDErUTJZVmJxa2pXU2lqK2N5aE10MDNYTk00S3RnTEZ6QklHaXEvTy9XSzQvaTkxL0x0dFJMdgpXTExyZVd0TENGSnJvOXpwblRkVnMyQU5vQ1FTVUlZNktMcXRCTE1ZNTVVcjI0bDhkSjQwMm1sMFhxYVgrdTlJCjZxWVBjYkhqeTd1K0pNVFovazJ5a2VEcGN3OXJwOEVxQmhoY1U5U2VWYnZCTk45d3FOTk1mSWl1SE91eng1N2QKaEFvc2pJRUNnWUVBOXJTci8zR3FPK3diVGE0aElpVTJwSXk5ZXpnNEpFeWkrbytvNHpYOGc0dGsrNGZxM2NDQgo2ZmhEWXI5UUQ3Sm1ZaEhDbDRsWGI4d1VxcTI3OHlybVhmK3hnZVk3aTl5NlJOaU1MMXZTYTlON1FScGJXelZlCkgvU2VEQ0ZJeXVoTEJaT2ZXUW5nSG1xdU9vODR0N0R4N2hPbDBWSDRuS2tUVEFIeEhJN1JMRmtDZ1lFQXlYeTMKblVvN1FCWENGWjBmVHdpRDMzQnVrTXFTeFM3M1dDdXppRjV4cE12a28xVTA0ZTBVODdMWmJodnFySU02UnQxVQp1eWdUa3VSMDZ0bGpVQ3RNYlhZcGROSFY0N1lLTjVubDVTL29KWGJBaU1EU0U5a3B6djdYZS9jaXB5RDN4bW5PClBCWUxOZ0VBUWJvOG5pVkhqVzVJRWhJb29IcDc4OURkbmZoVkNqRUNnWUFXRWcyOUdZY1lPMFFxQytUczhCVlcKWFR6cVZCbzVyUjE3ZXZTcDl2OXpLVHBNZ2xsUm8xSThBempNRWI5dzJBM3V3aFg5aG96cTlILzQwUGdhaGdENwo4YzhJaHZkV3lOVmxLVlpKT2xhMXpNS2ZEV09VNGs1Y1gzN3dLTjRoUU96TlArcW1oWXFtVGZidVNEZlR2eUcxCm9jNVl6cE9HT0Y0QWs3L2xSU1dUYVFLQmdBaFU1ZXJWSlBvVGJFRWtqQ1RpZjBHQURySmlEZ3VsVTRrTDFaS3cKQlJjQmIyVHBveFFzajQ4OE9BMTdqZ3F3S25xL3NEOUUrdm82QkRPcDVaZHRFdTM3MHQ4SHhrWnlRcDNsK1VHdQo1M1NWSW9VRkpDcTU4aWFqRnhvRE1DV2xFVm5kQ2pBbDRUVE1lY3c5L1QrMDN1NlVQdHF3Y1ltaFJ2cmdDaW44CkdOZ2hBb0dBVzNub3NmOENPWUJFM0x0WXkwa0t0OTkyWmdIY2lPMWEvZzNMZkN4VnovenByWHdVVkJpRFRzZFkKK3BXZVV0aTJEb3d0cnZpVENpSHFCdE5DcDVpK3krYTM1ODR5c0xJYm9vKzh5eWFJenVVaERiNE4zaVpUU3J1SQpib0h3LzhtWTlCZmFzT0hLVnhlSnl5RzQzV3NoN2NUK2VFcGRBbkxsSndQSnhCTmdvYmc9Ci0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==
- scp 到我的开发机
scp kubeconfig-tantianran 192.168.11.254:~/.kube/config
❝
留神:如果想在开发机操作 k8s 集群,能够去官网或者在 master 节点上把 kubectl 二进制工具也 scp 到开发机器上即可,如果只是通过客户端库来操作 k8s,kubectl 能够不必。还有,记得在家目录创立.kube 目录,文件名改为 config,这样 kubectl 才会主动读取到。
❞
如果把 config 名字改为别的,比方改为 aaa,看看成果:
[root@workhost .kube]# mv config aaa
[root@workhost .kube]# kubectl get pod # 读取不到 config,因为 kubectl 默认就是读取 config
The connection to the server localhost:8080 was refused - did you specify the right host or port?
# 当然能够应用 --kubeconfig 选项指定 kubeconfig
[root@workhost .kube]# kubectl --kubeconfig=./aaa get pod
NAME READY STATUS RESTARTS AGE
csi-cephfsplugin-2pv6l 2/2 Running 30 (7h51m ago) 17d
csi-cephfsplugin-7c9rp 2/2 Running 31 (7h51m ago) 17d
csi-cephfsplugin-7rvl4 2/2 Running 31 (7h51m ago) 17d
csi-cephfsplugin-8slqr 2/2 Running 30 (7h51m ago) 17d
- 来验证一下普通用户的权限
[root@workhost .kube]# kubectl get pod
NAME READY STATUS RESTARTS AGE
csi-cephfsplugin-2pv6l 2/2 Running 30 (7h52m ago) 17d
csi-cephfsplugin-7c9rp 2/2 Running 31 (7h52m ago) 17d
...
[root@workhost .kube]# kubectl get ns
Error from server (Forbidden): namespaces is forbidden: User "tantianran" cannot list resource "namespaces" in API group "" at the cluster scope
[root@workhost .kube]# kubectl get pod -n default
Error from server (Forbidden): pods is forbidden: User "tantianran" cannot list resource "pods" in API group ""in the namespace"default"
[root@workhost .kube]# kubectl get pod -n rook-ceph
NAME READY STATUS RESTARTS AGE
csi-cephfsplugin-2pv6l 2/2 Running 30 (7h53m ago) 17d
csi-cephfsplugin-7c9rp 2/2 Running 31 (7h53m ago) 17d
...
[root@workhost .kube]# kubectl get deployment
Error from server (Forbidden): deployments.apps is forbidden: User "tantianran" cannot list resource "deployments" in API group "apps" in the namespace "rook-ceph"
[root@workhost .kube]# kubectl get svc
Error from server (Forbidden): services is forbidden: User "tantianran" cannot list resource "services" in API group ""in the namespace"rook-ceph"
❝
通过验证,tantianran 这个一般账户的权限的确很低,具体我也不再解释了,置信大家都懂的。
❞
并且,我要问大家几个简略的问题:
- 为啥没有指定命名空间也能查看到 pod?
- 为啥指定 default 命名空间提醒 error?
- 为啥查看 deployment 和 svc 提醒 error?
请把您的答案在评论区通知我,谢谢大家。
开始写代码
golang
更多示例请参考:https://github.com/kubernetes/client-go/tree/master/examples
- 装置客户端库
# 首次先装这个
go get k8s.io/client-go@latest
# 前面装这几个
go get k8s.io/apimachinery/pkg/apis/meta/v1
go get k8s.io/client-go/kubernetes
go get k8s.io/client-go/tools/clientcmd
- 写代码
package main
import (
"context"
"fmt"
v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/tools/clientcmd"
)
func main() {
// 在 kubeconfig 中应用以后上下文
// path-to-kubeconfig -- 例如 /root/.kube/config
config, _ := clientcmd.BuildConfigFromFlags("","/root/.kube/config")
// 创立 clientset
clientset, _ := kubernetes.NewForConfig(config)
// 拜访 API 以列出 Pod
pods, _ := clientset.CoreV1().Pods("rook-ceph").List(context.TODO(), v1.ListOptions{})
for _, pod := range pods.Items {fmt.Printf("命名空间名称:%s POD 名称:%s\n", pod.Namespace, pod.Name)
}
fmt.Printf("这个命名空间下有 %d 个 POD\n", len(pods.Items))
}
输入:
[root@workhost k8s]# go run main.go
命名空间名称:rook-ceph POD 名称:csi-cephfsplugin-2pv6l
命名空间名称:rook-ceph POD 名称:csi-cephfsplugin-7c9rp
命名空间名称:rook-ceph POD 名称:csi-cephfsplugin-7rvl4
命名空间名称:rook-ceph POD 名称:csi-cephfsplugin-8slqr
命名空间名称:rook-ceph POD 名称:csi-cephfsplugin-9mkkx
...
这个命名空间下有 61 个 POD
❝
这个例子是 k8s 官网文档里的一个例子,链接:https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/acc…。更多例子可参考:https://github.com/kubernetes/client-go/tree/master/examples。
❞
❝
当然,在我看来,例子它只是例子,最重要的是要把握它的套路。那么前提是你得有肯定开发能力,懂 golang 或者 python 或 java 等等。当然了,运维工程师我倡议是要懂 golang 或者 python。
❞
Python
请参考:https://github.com/kubernetes-client/python/tree/master/examples
- 装置相干库
pip install pick
pip install kubernetes
- 写代码
from pick import pick
from kubernetes import client, config
from kubernetes.client import configuration
def main():
config.load_kube_config(config_file="/root/.kube/config", context="tantianran")
v1 = client.CoreV1Api()
ret = v1.list_namespaced_pod(namespace="rook-ceph")
for item in ret.items:
print(
"%s\t%s\t%s" %
(item.status.pod_ip,
item.metadata.namespace,
item.metadata.name))
if __name__ == '__main__':
main()
输入:
[root@workhost k8s]# python main.py
192.168.11.17 rook-ceph csi-cephfsplugin-2pv6l
192.168.11.18 rook-ceph csi-cephfsplugin-7c9rp
192.168.11.11 rook-ceph csi-cephfsplugin-7rvl4
192.168.11.19 rook-ceph csi-cephfsplugin-8slqr
192.168.11.15 rook-ceph csi-cephfsplugin-9mkkx
192.168.11.20 rook-ceph csi-cephfsplugin-css2r
192.168.11.12 rook-ceph csi-cephfsplugin-dblnm
192.168.11.16 rook-ceph csi-cephfsplugin-nsbsp
192.168.11.14 rook-ceph csi-cephfsplugin-p79zj
192.168.11.13 rook-ceph csi-cephfsplugin-phw2t