python - 使用 python api 在 EKS 集群上托管的 Airflow 中运行 k8s 命令

Question

我目前有一个托管在 EKS 集群上的 Airflow 部署，并希望它运行一个报告来检查另一个部署的日志记录，并在发生任何错误时提醒我。

在本地，我可以毫无问题地运行它，因为我可以将 k8s python api 指向我的 kubeconfig，但是一旦部署就不起作用，因为没有带有 kubeconfig 的 $Home/.kube 目录 pods 。

    with client.ApiClient(config.load_kube_config(config_file=k8s_config_file)) as api_client:
        api_instance = client.CoreV1Api(api_client)

我试过删除 load_kube_config 命令，但这只会引发连接被拒绝的错误，大概是因为它现在不知道任何集群，尽管它驻留在一个...

我认为将 kubeconfig 放在部署中不是一个好的做法。

如何让 Airflow 使用其托管的集群的 kubeconfig？还是我缺少其他选择...

Answer 1

回答问题中的一些疑虑:

I've tried removing the load_kube_config command, however this just throws a connection refused error, presumably because it now doesn't know about any cluster, although it resides in one...

要在集群内运行代码(从 Pod)，您需要切换:

• 来自: config.load_kube_config()
• 到: config.load_incluster_config()

请阅读下文，因为我解决了在集群内运行 Kubernetes Python API 库代码所需的其余设置。

---

How can I get airflow to use the kubeconfig of the cluster it's hosted on? Or is there an alternative I'm missing...

事实上，您缺少一个解决方案:

您需要使用具有适当Roles 和RoleBindings 的ServiceAccount。

让我再解释一下，并添加一个示例:

---

说明:

要运行我上面描述的设置，您需要引用以下 Kubernetes 文档:

• Kubernetes.io: Docs: Tasks: Configure pod container: Configure service account - 对于 ServiceAccount
• Kubernetes.io: Docs: Reference: Access authn authz: RBAC - 用于 Role 和 RoleBinding

如官方文档所述:

When you (a human) access the cluster (for example, using kubectl), you are authenticated by the apiserver as a particular User Account. Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example, default).

您需要使用 Roles 和 RoleBidings 向您的 ServiceAccount 添加权限，以允许它查询 Kubernetes API 服务器。例如，您需要添加权限以列出 Pod。

---

示例:

我已经在 Serverfault 上回答了一个类似的案例。我鼓励您检查一下:

• Serverfault.com: Starting a container on a Kubernetes cluster from another container

我允许自己复制和更改此答案的某些部分:

Create a ServiceAccount

apiVersion: v1
kind: ServiceAccount
metadata:
  name: python-job-sa

This ServiceAccount will be used with the Deployment/Pod that will host your Python code.

Assign specific permissions to your ServiceAccount

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: python-job-role
rules:
# This will give you access to pods
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
# This will give you access to pods logs
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get", "list", "watch"]

This is a Role that allows to query the Kubernetes API for the resources like > Pods.

Bind your Role to a ServiceAccount

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: python-job-rolebinding
  namespace: default
subjects:
- kind: ServiceAccount
  name: python-job-sa 
  namespace: default
roleRef:
  kind: Role 
  name: python-job-role
  apiGroup: rbac.authorization.k8s.io

应用这些规则后，您可以在部署 list 中使用serviceAccount: python-job-sa(在.spec.template.spec) 并查询 Kubernetes API，如下所示:

from kubernetes import client, config

config.load_incluster_config() # <-- IMPORTANT
v1 = client.CoreV1Api()

print("Listing pods with their IPs:")

ret = v1.list_namespaced_pod("default")
for i in ret.items:
    print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))

输出:

Listing pods with their IPs:
10.88.0.12  default nginx-deployment-d6bcfb88d-q8s8s
10.88.0.13  default nginx-deployment-d6bcfb88d-zbdm6
10.88.0.11  default cloud-sdk

---

其他资源:

• Blog.meain.io: Accessing Kubernetes API from pod