Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/kubernetes/5.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
通过pod内的python访问k8s API_Python_Kubernetes_Microservices - Fatal编程技术网
Fatal编程技术网
  • python/
  • 通过pod内的python访问k8s API

通过pod内的python访问k8s API

python kubernetes microservices

通过pod内的python访问k8s API,python,kubernetes,microservices,Python,Kubernetes,Microservices,我需要获取pod内的资源详细信息,并根据结果执行一些操作。我正在pod中使用k8s客户端python。在角色结束后,我被禁止了 我创建了Serviceaccount/role/rolebinding,如下所示 在这个问题上有谁能帮我吗 apiVersion: v1 kind: ServiceAccount metadata: name: myaccount namespace: dev kind: Role apiVersion: rbac.authorization.k8

我需要获取pod内的资源详细信息,并根据结果执行一些操作。我正在pod中使用k8s客户端python。在角色结束后,我被禁止了

我创建了Serviceaccount/role/rolebinding,如下所示

在这个问题上有谁能帮我吗

apiVersion: v1
kind: ServiceAccount
metadata:
name: myaccount
namespace: dev
          
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: dev
name: pods-reader-role
rules:
-apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pod-controller
namespace: dev
subjects:
- kind: ServiceAccount
name: myaccount
apiGroup: ""
roleRef:
kind: Role
name: pods-reader-role
apiGroup: ""


Listing pods with their IPs:
Traceback (most recent call last):
  File "/opt/scripts/bin/PodCont.py", line 792, in <module>
    main()
  File "/opt/scripts/bin/PodCont.py", line 596, in main
    ret = v1.list_pod_for_all_namespaces(watch=False)
  File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api/core_v1_api.py", line 16864, in list_pod_for_all_namespaces
    return self.list_pod_for_all_namespaces_with_http_info(**kwargs)  # noqa: E501
  File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api/core_v1_api.py", line 16981, in list_pod_for_all_namespaces_with_http_info
    collection_formats=collection_formats)
  File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 353, in call_api
    _preload_content, _request_timeout, _host)
  File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 184, in __call_api
    _request_timeout=_request_timeout)
  File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 377, in request
    headers=headers)
  File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 243, in GET
    query_params=query_params)
  File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 233, in request
    raise ApiException(http_resp=r)
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Mon, 05 Apr 2021 09:47:13 GMT', 'Content-Length': '285'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:dev:deploy-svc-account\" cannot list resource \"pods\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}
apiVersion:v1 种类:服务帐户 元数据: 姓名:myaccount 名称空间:dev 种类:角色 apiVersion:rbac.authorization.k8s.io/v1 元数据: 名称空间:dev 名称:pods阅读器角色 规则: -APIgroup:[“*”] 资源:[“*”] 动词:[“*”] 种类:RoleBinding apiVersion:rbac.authorization.k8s.io/v1 元数据: 名称:吊舱控制器 名称空间:dev 学科: -种类:服务帐户 姓名:myaccount 每组:“ roleRef: 种类:角色 名称:pods阅读器角色 每组:“ 正在列出POD及其IP: 回溯(最近一次呼叫最后一次): 文件“/opt/scripts/bin/PodCont.py”,第792行,在 main() 文件“/opt/scripts/bin/PodCont.py”,第596行,主目录 ret=v1.列出所有名称空间的pod(watch=False) 文件“/usr/local/lib/python3.6/site packages/kubernetes/client/api/core\u v1\u api.py”,第16864行,位于所有名称空间的列表pod\u中 返回self.list_pod_for_all_namespace_与_http_info(**kwargs)#noqa:E501 文件“/usr/local/lib/python3.6/site packages/kubernetes/client/api/core\u v1\u api.py”,第16981行,位于列表中,用于所有名称空间,带有http\u信息 集合\格式=集合\格式) call_api中的文件“/usr/local/lib/python3.6/site packages/kubernetes/client/api_client.py”,第353行 _预加载\u内容、\u请求\u超时、\u主机) 文件“/usr/local/lib/python3.6/site packages/kubernetes/client/api_client.py”,第184行,在调用api中 _请求\u超时=\u请求\u超时) 请求中的文件“/usr/local/lib/python3.6/site packages/kubernetes/client/api_client.py”,第377行 页眉=页眉) GET中的文件“/usr/local/lib/python3.6/site packages/kubernetes/client/rest.py”,第243行 查询参数=查询参数) 请求中的文件“/usr/local/lib/python3.6/site packages/kubernetes/client/rest.py”,第233行 引发异常(http_resp=r) kubernetes.client.exceptions.apieexception:(403) 理由:禁止 HTTP响应头:HTTPHeaderDict({'Content-Type':'application/json','X-Content-Type-Options':'nosniff','Date':'2021年4月5日星期一09:47:13 GMT','Content Length':'285'}) HTTP响应正文:{“种类”:“状态”,“apiVersion”:“v1”,“元数据”:{},“状态”:“失败”,“消息”:“pods被禁止:用户\”系统:serviceaccount:dev:deploy svc account\”无法在集群范围的API组\“\”中列出资源\“pods\”,“原因”:“禁止”,“详细信息”:{“种类”:“pods”},代码:403
回答这个问题,我认为有一些事情需要考虑:

  • 压痕
  • 运行Pod的服务帐户
  • Python代码和访问范围
由于没有任何问题,我们最多只能假设您是如何准确配置设置的

压痕 您包含的
YAML
清单缩进不正确。正确的清单应如下所示:

  • full.yaml
apiVersion:v1 种类:服务帐户 元数据: 姓名:myaccount 名称空间:dev --- 种类:角色 apiVersion:rbac.authorization.k8s.io/v1 元数据: 名称空间:dev 名称:pods阅读器角色 规则: -APIgroup:[“*”] 资源:[“*”] 动词:[“*”] --- 种类:RoleBinding apiVersion:rbac.authorization.k8s.io/v1 元数据: 名称:吊舱控制器 名称空间:dev 学科: -种类:服务帐户 姓名:myaccount 每组:“ roleRef: 种类:角色 名称:pods阅读器角色 每组:“ 旁注

考虑为您的用例创建更严格的
角色
,因为它允许在
dev
命名空间中执行所有操作

运行Pod的服务帐户 这里的潜在问题是您创建了一个名为:
myaccount
Pod
正在尝试使用
deploy svc帐户进行身份验证。(
用户\“系统:服务帐户:开发:部署svc帐户\”无法列出资源

请确保使用正确的
serviceAccount
运行
Pod

例如:

apiVersion:v1
种类:豆荚
元数据:
名称:sdk
名称空间:dev
规格:

serviceAccountName:myaccount#您能检查一下列表中的缩进吗?看起来不对。也许这就是问题所在。你好@SanthooKumar有进展吗?是吗?谢谢Dawid Kruk,我在deployment.yaml中错过了servicename,它解决了我的问题。