创建一个 ServiceAccount 专门用来访问 API:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: admin
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: api-admin
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: api-admin
namespace: kube-system
这里我直接给了这个 ServiceAccount 集群管理员的权限,实际使用中建议精细规划合适的权限给 ServiceAccount,比如说如果仅需要通过 API 获取 Pod 的信息,那么只给
get pod
的权限就 OK 了。
获取 Token:
$ $ kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/api-admin/{print $1}') | grep 'token:' | awk '{print $2}'
eyJhbGciOiJSUzI1NiIsImtpZCI6InRJRDV3TGlWRG5PWVQ0LUFzN3dqSy05bl9DZlFLMEM4aXFidHozMzcwWVkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhcGktYWRtaW4tdG9rZW4tcXJkc3IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYXBpLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODhmYmZiN2YtYzhhMC00MjQ1LTlkYWUtMTkzMmRhNGI2NTdjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmFwaS1hZG1pbiJ9.odgAsbq1mDFQuInevlQ_pyb0dadT6EKfXsM-BJAYThp1Yr3mh3xegtXmZqwvBDGWBEkOTLjZYzf25fSARQWPZ4tGRs9qQ22-xnrQcAOf8wGOLuqO8hbcw2-HX6uwRHy39ISvxHZ0nQ260eShAGOnfLGemZoBYFOQcmabKRO2QG1qfxMyYmvkeGEx0giGcScrDvcHC5LzhBgBUgpsQuYz_4l8vX74A9LNf9VOrJWb5vra548Uva_KCtij4XAgMt5BdQuV-av5LCf6MoPbqEj3t9X1mSPhM02OxY_I6EJipJ1UVm-Yb5yb1mXRhFsNZc5QA_F8zm_dHj2TIAbJywfILA
使用 PIP 安装 Kubernetes 客户端模块:
$ pip install kubernetes
运行 Python 脚本测试获取集群资源:
import urllib3
from kubernetes import client
from kubernetes.client.api import core_v1_api
# 关闭证书校验警告
urllib3.disable_warnings()
# API Server 的地址
api_server_url = 'https://10.0.1.110:7443'
# api-admin 用户的 Token
token = 'eyJhbGciOiJSUzI1NiIsImtpZCI6InRJRDV3TGlWRG5PWVQ0LUFzN3dqSy05bl9DZlFLMEM4aXFidHozMzcwWVkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhcGktYWRtaW4tdG9rZW4tcXJkc3IiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiYXBpLWFkbWluIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODhmYmZiN2YtYzhhMC00MjQ1LTlkYWUtMTkzMmRhNGI2NTdjIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmFwaS1hZG1pbiJ9.odgAsbq1mDFQuInevlQ_pyb0dadT6EKfXsM-BJAYThp1Yr3mh3xegtXmZqwvBDGWBEkOTLjZYzf25fSARQWPZ4tGRs9qQ22-xnrQcAOf8wGOLuqO8hbcw2-HX6uwRHy39ISvxHZ0nQ260eShAGOnfLGemZoBYFOQcmabKRO2QG1qfxMyYmvkeGEx0giGcScrDvcHC5LzhBgBUgpsQuYz_4l8vX74A9LNf9VOrJWb5vra548Uva_KCtij4XAgMt5BdQuV-av5LCf6MoPbqEj3t9X1mSPhM02OxY_I6EJipJ1UVm-Yb5yb1mXRhFsNZc5QA_F8zm_dHj2TIAbJywfILA'
configuration = client.Configuration()
configuration.host = api_server_url
# 不校验证书
configuration.verify_ssl = False
configuration.api_key = {"authorization": "Bearer " + token}
client1 = client.api_client.ApiClient(configuration=configuration)
api = core_v1_api.CoreV1Api(client1)
# 获取命名空间列表对象
namespaces = api.list_namespace()
# 遍历命名空间列表输出命名空间的名字
for namespace in namespaces.items:
print(namespace.metadata.name)
'''
default
haproxy-controller
kube-node-lease
kube-public
kube-system
kubernetes-dashboard
'''
评论区