通过pod内的python访问k8s API
我需要获取pod内的资源详细信息,并根据结果执行一些操作。我正在pod中使用k8s客户端python。在角色结束后,我被禁止了 我创建了Serviceaccount/role/rolebinding,如下所示 在这个问题上有谁能帮我吗通过pod内的python访问k8s API,python,kubernetes,microservices,Python,Kubernetes,Microservices,我需要获取pod内的资源详细信息,并根据结果执行一些操作。我正在pod中使用k8s客户端python。在角色结束后,我被禁止了 我创建了Serviceaccount/role/rolebinding,如下所示 在这个问题上有谁能帮我吗 apiVersion: v1 kind: ServiceAccount metadata: name: myaccount namespace: dev kind: Role apiVersion: rbac.authorization.k8
apiVersion: v1
kind: ServiceAccount
metadata:
name: myaccount
namespace: dev
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev
name: pods-reader-role
rules:
-apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-controller
namespace: dev
subjects:
- kind: ServiceAccount
name: myaccount
apiGroup: ""
roleRef:
kind: Role
name: pods-reader-role
apiGroup: ""
Listing pods with their IPs:
Traceback (most recent call last):
File "/opt/scripts/bin/PodCont.py", line 792, in <module>
main()
File "/opt/scripts/bin/PodCont.py", line 596, in main
ret = v1.list_pod_for_all_namespaces(watch=False)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api/core_v1_api.py", line 16864, in list_pod_for_all_namespaces
return self.list_pod_for_all_namespaces_with_http_info(**kwargs) # noqa: E501
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api/core_v1_api.py", line 16981, in list_pod_for_all_namespaces_with_http_info
collection_formats=collection_formats)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 353, in call_api
_preload_content, _request_timeout, _host)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 184, in __call_api
_request_timeout=_request_timeout)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 377, in request
headers=headers)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 243, in GET
query_params=query_params)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 233, in request
raise ApiException(http_resp=r)
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Mon, 05 Apr 2021 09:47:13 GMT', 'Content-Length': '285'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:dev:deploy-svc-account\" cannot list resource \"pods\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}
apiVersion:v1
种类:服务帐户
元数据:
姓名:myaccount
名称空间:dev
种类:角色
apiVersion:rbac.authorization.k8s.io/v1
元数据:
名称空间:dev
名称:pods阅读器角色
规则:
-APIgroup:[“*”]
资源:[“*”]
动词:[“*”]
种类:RoleBinding
apiVersion:rbac.authorization.k8s.io/v1
元数据:
名称:吊舱控制器
名称空间:dev
学科:
-种类:服务帐户
姓名:myaccount
每组:“
roleRef:
种类:角色
名称:pods阅读器角色
每组:“
正在列出POD及其IP:
回溯(最近一次呼叫最后一次):
文件“/opt/scripts/bin/PodCont.py”,第792行,在
main()
文件“/opt/scripts/bin/PodCont.py”,第596行,主目录
ret=v1.列出所有名称空间的pod(watch=False)
文件“/usr/local/lib/python3.6/site packages/kubernetes/client/api/core\u v1\u api.py”,第16864行,位于所有名称空间的列表pod\u中
返回self.list_pod_for_all_namespace_与_http_info(**kwargs)#noqa:E501
文件“/usr/local/lib/python3.6/site packages/kubernetes/client/api/core\u v1\u api.py”,第16981行,位于列表中,用于所有名称空间,带有http\u信息
集合\格式=集合\格式)
call_api中的文件“/usr/local/lib/python3.6/site packages/kubernetes/client/api_client.py”,第353行
_预加载\u内容、\u请求\u超时、\u主机)
文件“/usr/local/lib/python3.6/site packages/kubernetes/client/api_client.py”,第184行,在调用api中
_请求\u超时=\u请求\u超时)
请求中的文件“/usr/local/lib/python3.6/site packages/kubernetes/client/api_client.py”,第377行
页眉=页眉)
GET中的文件“/usr/local/lib/python3.6/site packages/kubernetes/client/rest.py”,第243行
查询参数=查询参数)
请求中的文件“/usr/local/lib/python3.6/site packages/kubernetes/client/rest.py”,第233行
引发异常(http_resp=r)
kubernetes.client.exceptions.apieexception:(403)
理由:禁止
HTTP响应头:HTTPHeaderDict({'Content-Type':'application/json','X-Content-Type-Options':'nosniff','Date':'2021年4月5日星期一09:47:13 GMT','Content Length':'285'})
HTTP响应正文:{“种类”:“状态”,“apiVersion”:“v1”,“元数据”:{},“状态”:“失败”,“消息”:“pods被禁止:用户\”系统:serviceaccount:dev:deploy svc account\”无法在集群范围的API组\“\”中列出资源\“pods\”,“原因”:“禁止”,“详细信息”:{“种类”:“pods”},代码:403
回答这个问题,我认为有一些事情需要考虑:
- 压痕
- 运行Pod的服务帐户
- Python代码和访问范围
压痕 您包含的
YAML
清单缩进不正确。正确的清单应如下所示:
:full.yaml
角色
,因为它允许在dev
命名空间中执行所有操作
运行Pod的服务帐户 这里的潜在问题是您创建了一个名为:
myaccount
而Pod
正在尝试使用deploy svc帐户进行身份验证。(用户\“系统:服务帐户:开发:部署svc帐户\”无法列出资源
)
请确保使用正确的serviceAccount
运行Pod
例如:
apiVersion:v1
种类:豆荚
元数据:
名称:sdk
名称空间:dev
规格:
serviceAccountName:myaccount#您能检查一下列表中的缩进吗?看起来不对。也许这就是问题所在。你好@SanthooKumar有进展吗?是吗?谢谢Dawid Kruk,我在deployment.yaml中错过了servicename,它解决了我的问题。