Kubernetes之python client连接k8s API cluster
大家在平时使用k8s可以说用到的最多的命令应该就是kubectl, 这个命令默认会在master上安装并与本地的k8s API cluster绑定token认证, 实现日常k8s的数据交互. 不过问题在于, 如果我们需要远程调用k8s API或者需要实现k8s自动化集成, 仅靠每次远程ssh集成使用kubectl命令这种偷懒的办法是远远不够的.
这里k8s官方给我们提供了两种比较主流的连接k8s API cluster的语言, 一种是GO, 另外一种就是我们DevOps比较主流的Python.
今天这里我将给大家介绍如何使用python client扩展包去编写脚本并远程连接k8s API cluster.
这样我们平时除了可以远程使用ssh+kubectl去与kubernetes进行命令行数据交互外, 同样可以在远程不依赖命令行直接连接k8s cluster API cluster, 与k8s进行python API交互, 方便我们后期利用python去对k8s进行自动化集成与二次开发.
这里我们不多说, 直接进入我们的runbook配置环节:
一.部署python client环境连接我们的k8s API cluster.
1.安装python3.6.5源及依赖包
# yum install epel-release -y
# yum groupinstall "Development tools" -y
# yum install zlib-devel bzip2-devel openssl-devel ncurses-devel zx-devel sqlite-devel readline-devel tk-devel gdbm-devel db4-devel libpcap-devel -y
2.编译安装python3.6.5以及pip package manager
# wget https://www.python.org/ftp/python/3.6.5/Python-3.6.5.tar.xz --no-check-certificate
# tar xf Python-3.6.5.tar.xz
# cd Python-3.6.5
# ./configure --prefix=/usr/local --with-ensurepip=install --enable-shared LDFLAGS="-Wl,-rpath /usr/local/lib"
# make && make altinstall
3.安装virtualenv
# pip3.6 install --upgrade pip
# pip3.6 install virtualenv
4.配置加载virtualenv环境
# virtualenv -p /usr/local/bin/python3 .py3env
# source .py3env/bin/activate
5.安装kubernetes python client扩展包
# pip install kubernetes
二.在k8s master获取API cluster URL与token
我们需要在创建python脚本前, 在k8s主机上创建一个admin权限的service account, 并获取其token 用来作为我们的脚本凭证.
1.抓取Cluster URL地址
# APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
# echo $APISERVER
2.创建k8s admin-user
# mkdir -p /kube/role
# cd /kube/role
在kube-system下创建admin-user
# vi CreateServiceAccount.yaml
apiVersion: v1 kind: ServiceAccount metadata: name: admin-user namespace: kube-system
给admin-user赋予admin权限
# vi CreateServiceAccount.yaml
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: admin-user roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: admin-user namespace: kube-system
# kubectl create -f CreateServiceAccount.yaml
# kubectl create -f RoleBinding.yaml
3.获取admin-user token
# Token=$(kubectl describe secret $(kubectl get secret -n kube-system | grep ^admin-user | awk '{print $1}') -n kube-system | grep -E '^token'| awk '{print $2}')
# echo $Token
最后将token与APISERVER地址返回内容复制到python client主机上, 供脚本使用.
三. 在python client主机上编写脚本
1. 创建目录结构
# mkdir -p /kube/auth
# cd /kube/auth
# touch token.txt
2. 创建token.txt文件并将k8s主机上获取的Token字符串复制到该文件
这里我们获取的token会引入到我们的脚本下, 作为bearer authorization的api key与远程k8s API建立认证连接.
3. 编写python client脚本
# vi k8s_auth.py
#!/usr/bin/env python
from kubernetes import client, config
def main():
# Define the barer token we are going to use to authenticate.
# See here to create the token:
# https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/
with open('token.txt', 'r') as file:
Token = file.read().strip('\n')
APISERVER = 'https://10.110.16.14:6443'
# Create a configuration object
configuration = client.Configuration()
# Specify the endpoint of your Kube cluster
configuration.host = APISERVER
# Security part.
# In this simple example we are not going to verify the SSL certificate of
# the remote cluster (for simplicity reason)
configuration.verify_ssl = False
# Nevertheless if you want to do it you can with these 2 parameters
# configuration.verify_ssl=True
# ssl_ca_cert is the filepath to the file that contains the certificate.
# configuration.ssl_ca_cert="certificate"
configuration.api_key = {"authorization": "Bearer " + Token}
# configuration.api_key["authorization"] = "bearer " + Token
# configuration.api_key_prefix['authorization'] = 'Bearer'
# configuration.ssl_ca_cert = 'ca.crt'
# Create a ApiClient with our config
client.Configuration.set_default(configuration)
# Do calls
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_pod_for_all_namespaces(watch=False)
for i in ret.items:
print("%s\t%s\t%s" %
(i.status.pod_ip, i.metadata.namespace, i.metadata.name))
if __name__ == '__main__':
main()
这个脚本通过抓取同目录的k8s token字符串, 以及我们之前获取到的api server地址,利用python kubernetes扩展模块连接我们的远程API, 最终实现打印我们k8s所有namespace下的所有pods.
实际效果与kubectl get pods --all-namespaces类似.
4. 修改权限并执行
# chmod 755 k8s_auth.py
# ./k8s_auth.py
Listing pods with their IPs: ... 10.244.1.3 default db 10.244.1.2 default kubernetes-downwardapi-volume-example 10.244.1.245 default nginx1-7-deployment-667547b6d8-c5nsr 10.244.1.239 default nginx1-7-deployment-667547b6d8-mjxq4 10.244.1.247 default nginx1-8-deployment-d46768cf9-888v8 10.244.1.242 default nginx1-8-deployment-d46768cf9-fglq2 10.110.16.14 kube-system etcd-kube-master 10.110.16.14 kube-system kube-apiserver-kube-master 10.110.16.14 kube-system kube-controller-manager-kube-master 10.244.1.241 kube-system kube-dns-6f4fd4bdf-qsxrj 10.110.16.14 kube-system kube-flannel-ds-5sdlg 10.110.16.15 kube-system kube-flannel-ds-qctv4 10.110.16.14 kube-system kube-proxy-5nscq 10.110.16.15 kube-system kube-proxy-6g7jc 10.110.16.14 kube-system kube-scheduler-kube-master 10.244.1.246 kube-system kubernetes-dashboard-58f5cb49c-6dxgn 10.244.1.240 kube-system tiller-deploy-cbb85d8dc-f6rsv 10.110.16.15 kube-system traefik-ingress-lb-765c44656f-fkzxb 10.244.1.243 spinnaker kubelive-create-bucket-wxlv4 10.244.1.244 spinnaker kubelive-delete-jobs-zhn75
这样我们就成功的编写完成python client脚本连接k8s API cluster, 将所有namespace下的pod的基本信息打印出来.
Finished...
本文链接:http://www.showerlee.com/archives/2804
5条大神的评论
不错! 亲测好用
怎么执行yaml来创建pod呢?
详见python kubernetes 模块的配置文档
如果要启用SSL的话,怎样从数据库中实现读取CA而不是从文件读取?
不启用SSL验证的话,总感觉不安全。而且urllib3会告警,又必须要关闭这个警告。urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
我想从数据库中读取对应K8S集群的TOKEN。官方默认是指定ca.crt的路径,而我也想从数据库中读取它。
这个要看你怎么设计数据库了