k8s-pod-pod内程序操作k8s资源(InClusterConfig)

k8s-pod-pod内程序操作k8s资源(InClusterConfig)

当我们开发一个程序，需要访问k8s集群中的pod、deployment等资源时，会使用k8s.io/client-go模块，在使用这个模块时，我们要有如下几步：

1.获取config对象

clientcmd.BuildConfigFromFlags 根据config路径获取config

rest.InClusterConfig 直接使用pod中自带的token等内容

2.获取k8s client

3.使用k8s client获取k8s资源

package mainimport ( "context" "fmt" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/kubernetes" "k8s.io/client-go/rest" "k8s.io/client-go/tools/clientcmd" "k8s.io/client-go/util/homedir" "os" "path/filepath")func main() { kubeConfig, err := CreateKubeConfig() if err != nil { panic(err) } kubeClient, err := kubernetes.NewForConfig(kubeConfig) if err != nil { panic(err) } //获取pod资源 kubeClient.CoreV1().Pods("").List(context.Background(),v1.ListOptions{})}func PathExists(path string) (bool, error) { _, err := os.Stat(path) if err == nil { return true, nil } if os.IsNotExist(err) { return false, nil } return false, err}func CreateKubeConfig() (*rest.Config, error) { kubeConfigPath := "" if home := homedir.HomeDir(); home != "" { kubeConfigPath = filepath.Join(home, ".kube", "config") } fileExist, err := PathExists(kubeConfigPath) if err != nil { return nil, fmt.Errorf("justify kubeConfigPath exist err,err:%v", err) } //.kube/config文件存在，就使用文件 //这里主要是本地测试 if fileExist { config, err := clientcmd.BuildConfigFromFlags("", kubeConfigPath) if err != nil { return nil, err } return config, nil } else { //当程序以pod方式运行时，就直接走这里的逻辑 config, err := rest.InClusterConfig() if err != nil { return nil, err } return config, nil }}

下面我们主要介绍下InClusterConfig

1.创建serviceAccount

要想操作k8s的相关资源，需要给某个serviceAccount授权

如上：我们要操作pod资源，就要创建如下资源

创建如下资源后，opPodServiceAccount这个serviceAccout就有操作pod的权限了

apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRolemetadata: creationTimestamp: null name: opPodClusterRolerules: - apiGroups: - "" resources: - pods verbs: - list - watch---apiVersion: rbac.authorization.k8s.io/v1kind: ClusterRoleBindingmetadata: name: opPodClusterRoleBindingroleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: opPodClusterRolesubjects: - kind: ServiceAccount name: opPodServiceAccount namespace: default---apiVersion: v1kind: ServiceAccountmetadata: name: opPodServiceAccount namespace: default

2.指定运行程序的pod使用上面的ServiceAccount

serviceAccount: live-media-watch-pod

apiVersion: apps/v1kind: Deploymentmetadata: labels: operator: live-media-watch-pod name: live-media-watch-pod namespace: bixin-systemspec: replicas: 1 selector: matchLabels: operator: live-media-watch-pod strategy: rollingUpdate: maxSurge: 100% maxUnavailable: 0 type: RollingUpdate template: metadata: creationTimestamp: null labels: operator: live-media-watch-pod spec: containers: - image: ******.**.com/k8s/live-media-watch-pod:202201211654 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 10 path: healthz port: 8080 scheme: HTTP initialDelaySeconds: 30 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 name: live-media-watch-pod readinessProbe: failureThreshold: 10 path: healthz port: 8080 scheme: HTTP initialDelaySeconds: 30 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 serviceAccount: live-media-watch-pod

这样之后，我们查看pod的yaml，会看到pod自动就多了一个volums，来自live-media-watch-pod-token-fhvk2 secret。

而且该secret挂载在了/var/run/secrets/kubernetes.io/serviceaccount路径下。

apiVersion: v1kind: Podmetadata: annotations: kubernetes.io/psp: ack.privileged creationTimestamp: "2022-01-21T08:57:44Z" generateName: live-media-watch-pod-6f688c8b98- labels: operator: live-media-watch-pod pod-template-hash: 6f688c8b98 name: live-media-watch-pod-6f688c8b98-w9txp namespace: bixin-system ownerReferences: - apiVersion: apps/v1 blockOwnerDeletion: true controller: true kind: ReplicaSet name: live-media-watch-pod-6f688c8b98 uid: 79843c47-296c-4bbb-8ff3-82d7fe74719b resourceVersion: "83659547" uid: 23ef3ff1-bef6-4d7d-9e75-faea932f7919spec: containers: - image: **.**.com/k8s/live-media-watch-pod:202201211654 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 10 path: healthz port: 8080 scheme: HTTP initialDelaySeconds: 30 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 name: live-media-watch-pod readinessProbe: failureThreshold: 10 path: healthz port: 8080 scheme: HTTP initialDelaySeconds: 30 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 volumeMounts: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: live-media-watch-pod-token-fhvk2 readOnly: true serviceAccount: live-media-watch-pod serviceAccountName: live-media-watch-pod volumes: - name: live-media-watch-pod-token-fhvk2 secret: defaultMode: 420 secretName: live-media-watch-pod-token-fhvk2

进到pod中查看

3.查看InClusterConfig源码

也是从/var/run/secrets/kubernetes.io/serviceaccount这个路径中获取token

实际上k8s中也有一个默认的serviceAccount：default，同样挂载在pod中的上述路径下，只是这个默认的serviceAccount权限很小，所以才会需要创建自定义的serviceAccount

apiVersion: v1kind: Podmetadata: name: live-media-agent-cpu-6kzfc namespace: opsspec: containers: image: **.*.com/ops/live-media-agent:202201221010 imagePullPolicy: IfNotPresent name: live-media-agent-cpu volumeMounts: - mountPath: /data/config name: vol1 - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: default-token-5jqzn readOnly: true serviceAccount: default serviceAccountName: default volumes: - name: default-token-5jqzn secret: defaultMode: 420 secretName: default-token-5jqzn

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。