7-15 1 views
参考:https://kubernetes.io/zh/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod
参考:https://github.com/kubernetes/client-go/blob/master/examples/in-cluster-client-configuration/main.go
参考:https://www.itnotebooks.com/?p=1580
参考:https://www.itnotebooks.com/?p=1583
InClusterConfig
默认pod内会挂载所在namespace的默认服务账户default的token和认证密钥在运行时目录下
我们先来看一段源码
> k8s.io/client-go/rest/config.go
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
// InClusterConfig returns a config object which uses the service account // kubernetes gives to pods. It's intended for clients that expect to be // running inside a pod running on kubernetes. It will return ErrNotInCluster // if called from a process not running in a kubernetes environment. func InClusterConfig() (*Config, error) { const ( tokenFile = "/var/run/secrets/kubernetes.io/serviceaccount/token" rootCAFile = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" ) host, port := os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT") if len(host) == 0 || len(port) == 0 { return nil, ErrNotInCluster } token, err := ioutil.ReadFile(tokenFile) if err != nil { return nil, err } tlsClientConfig := TLSClientConfig{} if _, err := certutil.NewPool(rootCAFile); err != nil { klog.Errorf("Expected to load root CA config from %s, but got err: %v", rootCAFile, err) } else { tlsClientConfig.CAFile = rootCAFile } return &Config{ // TODO: switch to using cluster DNS. Host: "https://" + net.JoinHostPort(host, port), TLSClientConfig: tlsClientConfig, BearerToken: string(token), BearerTokenFile: tokenFile, }, nil } |
基于以上信息说明,如果我们是在K8S的集群内运行我们的代码,则不需要考虑认证方式的问题
注:默认namespace下的default用户权限比较小,能查看pod
创建一个K8S客户端
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
func NewK8SClient() *Client { // creates the in-cluster config config, err := rest.InClusterConfig() if err != nil { panic(err.Error()) } // creates the clientset client, err := kubernetes.NewForConfig(config) if err != nil { panic(err.Error()) } return &Client{ Client: client, } } |
解决default用户权限的问题
一般情况下还是新创建一个用户来解决
在部署文档中指定以何用户的身份与API Server进行交互
使用spec下的serviceAccountName指定刚创建的用户
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
kind: CronJob metadata: name: fireye namespace: itnotebooks spec: schedule: "*/5 * * * *" jobTemplate: spec: template: spec: serviceAccountName: fireye volumes: - name: pv-nas-itnotebooks-logs persistentVolumeClaim: claimName: pv-nas-itnotebooks-logs containers: - name: fireye image: registry-vpc.cn-hangzhou.aliyuncs.com/itnotebooks/fireye:af834e1-1626259813 imagePullPolicy: Always volumeMounts: - name: pv-nas-itnotebooks-logs mountPath: /var/apps/logs command: - /bin/sh - /var/apps/bin/startup.sh restartPolicy: OnFailure |
如果想赏钱,可以用微信扫描下面的二维码,一来能刺激我写博客的欲望,二来好维护云主机的费用; 另外再次标注博客原地址 itnotebooks.com 感谢!
