12

Have been trying to get the python client for kubernetes work as expected. Had good luck with config.load_kube_config() Now i'd like to use the Python client from a remote machine which neither has kubectl nor ~/.kube/config on it. Tried the python client API reference such as this

Snippet:

from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException
from pprint import pprint

# Configure API key authorization: BearerToken
configuration = kubernetes.client.Configuration()
configuration.api_key['authorization'] = 'YOUR_API_KEY'
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['authorization'] = 'Bearer'

At first it seemed i need to use the default service-account-token where it says:

configuration.api_key['authorization'] = 'YOUR_API_KEY

Soon realized that is not the case after seeing a lot of [SSL: CERTIFICATE_VERIFY_FAILED]

Can someone please give a hint to where i can obtain this from my new install? Used kubeadm to bring up this cluster.

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.2", GitCommit:"5fa2db2bd46ac79e5e00a4e6ed24191080aa463b", GitTreeState:"clean", BuildDate:"2018-01-18T21:10:44Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.2", GitCommit:"5fa2db2bd46ac79e5e00a4e6ed24191080aa463b", GitTreeState:"clean", BuildDate:"2018-01-18T09:42:01Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

<--------- Edit below ---------->

Managed to get token from master using:

$ kubectl describe secret $(kubectl get secrets | grep default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t'

The above result is named ApiToken in below Python snippet.

from kubernetes import client, config
from kubernetes.client.rest import ApiException
ApiToken = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbXF0eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjA5NWQ3ZGVhLTA5MDgtMTFlOC04NTFiLTA4MDAyNzk0OGE2OSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.DBk6gyh4BFy-Gc94dihasYXLbspMvMEjuzFS-AEyNUwk6pR1zsdYOqxo5J-0t6qHN09JyyNK5Oz75cR6bYOGxir1a7SveQpXly4S2Iu3K3o6n8ys_kdP4lNMgBZy--rE0h4neG9s91ven36XP4nYZMwvWal56w39nCUmkomR2-DfhaD4-_Mqq2bd7lmETNinD2hpzTa9cf46VTTY0kcIwhk8FzxEtPA3kxoZul0AfpZT2QlyzLk9fTBRPjd57XbktBgQmiO2wppa_A1KN1Kg83fk1p40hSfY4Vf7Dr76rmKgAUVae-qkN725FWj-4NqzktjyAqalli5jcHo2leJv0A'
configuration = client.Configuration()
configuration.host = 'https://192.168.0.110:6443'
configuration.verify_ssl=False
configuration.debug = True
configuration.api_key={"authorization":"Bearer "+ ApiToken}
client.Configuration.set_default(configuration)
kubeApi = client.CoreV1Api()
try:
    allPods = kubeApi.list_pod_for_all_namespaces(watch=False)
except ApiException as e:
    print("Exception when calling CoreV1Api->list_pod_for_all_namespaces: %s\n" % e)

Response is a HTTP/1.1 403 Forbidden message.

reply: 'HTTP/1.1 403 Forbidden\r\n'
2018-02-10 09:37:49,801 DEBUG https://192.168.0.110:6443 "GET /api/v1/pods?watch=False HTTP/1.1" 403 243
header: Content-Type header: X-Content-Type-Options header: Date header: Content-Length Exception when calling CoreV1Api->list_pod_for_all_namespaces: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Sat, 10 Feb 2018 04:07:46 GMT', 'Content-Length': '243'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:default:default\" cannot list pods at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}

Troubleshooting this stage now.

papu
  • 405
  • 5
  • 14

3 Answers3

10

Maybe you need token.

Can use anywhere secret in kube-system namespace: 

$ kubectl get secrets -n kube-system 
$ kubectl describe secret/{secret_name} -n kube-system
Arslanbekov Denis
  • 1,674
  • 12
  • 26
  • Thanks much. Managed to proceed a bit. Now stuck with a http 403 response. Edited above to reflect current status. – papu Feb 10 '18 at 04:23
  • Finally managed to persuade python client to work by a quick n dirty rbac binding. Details in [this github](https://github.com/papudatta/kubernetes_kubeadm) – papu Feb 10 '18 at 05:41
  • above link is unavailable. – Mithun Jul 06 '21 at 18:38
6
[root@master1 ~]# APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
[root@master1 ~]# SECRET_NAME=$(kubectl get secrets | grep ^default | cut -f1 -d ' ')
[root@master1 ~]# TOKEN=$(kubectl describe secret $SECRET_NAME | grep -E '^token' | cut -f2 -d':' | tr -d " ")
[root@master1 ~]# curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "11.127.4.111:6443"
    }
  ]
}[root@master1 ~]#
Dineshkumar Ramasamy
  • 101
  • 1
  • 2
  • 5
    While this may answer the question, you should [edit] your answer to include some explanation of how these commands answer the question, to provide context to future readers. An terminal screen block by itself is not immediately useful to those who might come across the same issue later on. – Hoppeduppeanut May 23 '19 at 22:19
0

If you have a running kubectl version and just want to reuse those credentials, then this is the code that you need:

from kubernetes import config
config.load_kube_config()

If you want to get some more examples to see this used in the context of proper code have a look here: https://github.com/kubernetes-client/python/tree/master/examples

Nils Ziehn
  • 4,118
  • 6
  • 26
  • 40