gpt4 book ai didi

python - 使用 python api 在 EKS 集群上托管的 Airflow 中运行 k8s 命令

转载 作者:行者123 更新时间:2023-12-05 04:53:31 29 4
gpt4 key购买 nike

我目前有一个托管在 EKS 集群上的 Airflow 部署,并希望它运行一个报告来检查另一个部署的日志记录,并在发生任何错误时提醒我。

在本地,我可以毫无问题地运行它,因为我可以将 k8s python api 指向我的 kubeconfig,但是一旦部署就不起作用,因为没有带有 kubeconfig 的 $Home/.kube 目录 pods 。

    with client.ApiClient(config.load_kube_config(config_file=k8s_config_file)) as api_client:
api_instance = client.CoreV1Api(api_client)

我试过删除 load_kube_config 命令,但这只会引发连接被拒绝的错误,大概是因为它现在不知道任何集群,尽管它驻留在一个...

我认为将 kubeconfig 放在部署中不是一个好的做法。

如何让 Airflow 使用其托管的集群的 kubeconfig?还是我缺少其他选择...

最佳答案

回答问题中的一些疑虑:

I've tried removing the load_kube_config command, however this just throws a connection refused error, presumably because it now doesn't know about any cluster, although it resides in one...

要在集群内运行代码(从 Pod),您需要切换:

  • 来自: config.load_kube_config()
  • 到: config.load_incluster_config()

请阅读下文,因为我解决了在集群内运行 Kubernetes Python API 库代码所需的其余设置。


How can I get airflow to use the kubeconfig of the cluster it's hosted on? Or is there an alternative I'm missing...

事实上,您缺少一个解决方案:

您需要使用具有适当RolesRoleBindingsServiceAccount

让我再解释一下,并添加一个示例:


说明:

要运行我上面描述的设置,您需要引用以下 Kubernetes 文档:

如官方文档所述:

When you (a human) access the cluster (for example, using kubectl), you are authenticated by the apiserver as a particular User Account. Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example, default).

您需要使用 RolesRoleBidings 向您的 ServiceAccount 添加权限,以允许它查询 Kubernetes API 服务器。例如,您需要添加权限以列出 Pod


示例:

我已经在 Serverfault 上回答了一个类似的案例。我鼓励您检查一下:

我允许自己复制和更改此答案的某些部分:

Create a ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
name: python-job-sa

This ServiceAccount will be used with the Deployment/Pod that will host your Python code.

Assign specific permissions to your ServiceAccount

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: python-job-role
rules:
# This will give you access to pods
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
# This will give you access to pods logs
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]

This is a Role that allows to query the Kubernetes API for the resources like > Pods.

Bind your Role to a ServiceAccount

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: python-job-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: python-job-sa
namespace: default
roleRef:
kind: Role
name: python-job-role
apiGroup: rbac.authorization.k8s.io

应用这些规则后,您可以在部署 list 中使用serviceAccount: python-job-sa(在.spec.template.spec) 并查询 Kubernetes API,如下所示:

from kubernetes import client, config

config.load_incluster_config() # <-- IMPORTANT
v1 = client.CoreV1Api()

print("Listing pods with their IPs:")

ret = v1.list_namespaced_pod("default")
for i in ret.items:
print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))

输出:

Listing pods with their IPs:
10.88.0.12 default nginx-deployment-d6bcfb88d-q8s8s
10.88.0.13 default nginx-deployment-d6bcfb88d-zbdm6
10.88.0.11 default cloud-sdk

其他资源:

关于python - 使用 python api 在 EKS 集群上托管的 Airflow 中运行 k8s 命令,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/65996416/

29 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com