client-go InClusterConfig 实现Pod内与K8S API Server交互

7-15 DEVOPS,Golang Eric Winn 1 views

client-go InClusterConfig 实现Pod内与K8S API Server交互

7-15 1 views

参考：https://kubernetes.io/zh/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod
参考：https://github.com/kubernetes/client-go/blob/master/examples/in-cluster-client-configuration/main.go
参考：https://www.itnotebooks.com/?p=1580
参考：https://www.itnotebooks.com/?p=1583

InClusterConfig

默认pod内会挂载所在namespace的默认服务账户default的token和认证密钥在运行时目录下

我们先来看一段源码

> k8s.io/client-go/rest/config.go

// InClusterConfig returns a config object which uses the service account
// kubernetes gives to pods. It's intended for clients that expect to be
// running inside a pod running on kubernetes. It will return ErrNotInCluster
// if called from a process not running in a kubernetes environment.
func InClusterConfig() (*Config, error) {
	const (
		tokenFile  = "/var/run/secrets/kubernetes.io/serviceaccount/token"
		rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
	)
	host, port := os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT")
	if len(host) == 0 || len(port) == 0 {
		return nil, ErrNotInCluster
	}

	token, err := ioutil.ReadFile(tokenFile)
	if err != nil {
		return nil, err
	}

	tlsClientConfig := TLSClientConfig{}

	if _, err := certutil.NewPool(rootCAFile); err != nil {
		klog.Errorf("Expected to load root CA config from %s, but got err: %v", rootCAFile, err)
	} else {
		tlsClientConfig.CAFile = rootCAFile
	}

	return &Config{
		// TODO: switch to using cluster DNS.
		Host:            "https://" + net.JoinHostPort(host, port),
		TLSClientConfig: tlsClientConfig,
		BearerToken:     string(token),
		BearerTokenFile: tokenFile,
	}, nil
}

// InClusterConfig returns a config object which uses the service account

// kubernetes gives to pods. It's intended for clients that expect to be

// running inside a pod running on kubernetes. It will return ErrNotInCluster

// if called from a process not running in a kubernetes environment.

func InClusterConfig() (*Config, error) {

const (

tokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token"

rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"

)

host, port := os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT")

if len(host) == 0 || len(port) == 0 {

return nil, ErrNotInCluster

}

token, err := ioutil.ReadFile(tokenFile)

if err != nil {

return nil, err

}

tlsClientConfig := TLSClientConfig{}

if _, err := certutil.NewPool(rootCAFile); err != nil {

klog.Errorf("Expected to load root CA config from %s, but got err: %v", rootCAFile, err)

} else {

tlsClientConfig.CAFile = rootCAFile

}

return &Config{

// TODO: switch to using cluster DNS.

Host: "https://" + net.JoinHostPort(host, port),

TLSClientConfig: tlsClientConfig,

BearerToken: string(token),

BearerTokenFile: tokenFile,

}, nil

}

基于以上信息说明，如果我们是在K8S的集群内运行我们的代码，则不需要考虑认证方式的问题
注：默认namespace下的default用户权限比较小，能查看pod

创建一个K8S客户端

func NewK8SClient() *Client {

	// creates the in-cluster config
	config, err := rest.InClusterConfig()
	if err != nil {
		panic(err.Error())
	}

	// creates the clientset
	client, err := kubernetes.NewForConfig(config)
	if err != nil {
		panic(err.Error())
	}
	return &Client{
		Client: client,
	}
}

func NewK8SClient() *Client {

// creates the in-cluster config

config, err := rest.InClusterConfig()

if err != nil {

panic(err.Error())

}

// creates the clientset

client, err := kubernetes.NewForConfig(config)

if err != nil {

panic(err.Error())

}

return &Client{

Client: client,

}

解决default用户权限的问题

一般情况下还是新创建一个用户来解决

K8S RBAC授权

在部署文档中指定以何用户的身份与API Server进行交互

使用spec下的serviceAccountName指定刚创建的用户

kind: CronJob
metadata:
  name: fireye
  namespace: itnotebooks
spec:
  schedule: "*/5 * * * *"
  jobTemplate:
    spec:
      template:
        spec:
          serviceAccountName: fireye
          volumes:
            - name: pv-nas-itnotebooks-logs
              persistentVolumeClaim:
                claimName: pv-nas-itnotebooks-logs

          containers:
          - name: fireye
            image: registry-vpc.cn-hangzhou.aliyuncs.com/itnotebooks/fireye:af834e1-1626259813
            imagePullPolicy: Always
            volumeMounts:
              - name: pv-nas-itnotebooks-logs
                mountPath: /var/apps/logs
            command:
            - /bin/sh
            - /var/apps/bin/startup.sh

          restartPolicy: OnFailure

kind: CronJob

metadata:

name: fireye

namespace: itnotebooks

spec:

schedule: "*/5 * * * *"

jobTemplate:

spec:

template:

spec:

serviceAccountName: fireye

volumes:

- name: pv-nas-itnotebooks-logs

persistentVolumeClaim:

claimName: pv-nas-itnotebooks-logs

containers:

- name: fireye

image: registry-vpc.cn-hangzhou.aliyuncs.com/itnotebooks/fireye:af834e1-1626259813

imagePullPolicy: Always

volumeMounts:

- name: pv-nas-itnotebooks-logs

mountPath: /var/apps/logs

command:

- /bin/sh

- /var/apps/bin/startup.sh

restartPolicy: OnFailure

如果想赏钱，可以用微信扫描下面的二维码，一来能刺激我写博客的欲望，二来好维护云主机的费用；另外再次标注博客原地址 itnotebooks.com 感谢！

版权属于: Eric

原文地址: https://www.itnotebooks.com/?p=1588

转载时必须以链接形式注明原始出处及本声明。

client-go InClusterConfig 实现Pod内与K8S API Server交互

client-go InClusterConfig 实现Pod内与K8S API Server交互

欢迎留言 取消回复

欢迎留言取消回复