创建maven工程,pom.xml中引入连接k8s的客户端jar包:
<properties>
<maven.compiler.source>
8
</maven.compiler.source>
<maven.compiler.target>
8
</maven.compiler.target>
<fabric.io.version>
6.10.0
</fabric.io.version>
</properties>

<dependencies>
<dependency>
<groupId>
io.fabric8
</groupId>
<artifactId>
kubernetes-client
</artifactId>
<version>
${fabric.io.version}
</version>
</dependency>
</dependencies>
目标:使用尽可能少的配置项来完成初始化工作,保证后续部署工作量最小

使用kubeconfig文件连接集群

使用场景

可以获取集群的kubeconfig文件

环境变量配置

默认配置项:
KUBECONFIG=~/.kube/config

自定义配置:
KUBECONFIG=/opt/file/kubeconfig

示例代码

import
io.fabric8.kubernetes.api.model.Namespace;

import
io.fabric8.kubernetes.api.model.NamespaceList;

import
io.fabric8.kubernetes.client.KubernetesClient;

import
io.fabric8.kubernetes.client.KubernetesClientBuilder;


publicclassK8sClientWithKubeConfig
{

publicstaticvoidmain
(String[] args) {

KubernetesClientclient=newKubernetesClientBuilder
().build();

System.out.println(client.getMasterUrl());

NamespaceListmyNs=
client.namespaces().list();


for
(Namespace ns : myNs.getItems()) {

System.out.println(ns.getMetadata().getName());

}

client.close();

}

}

其中master url为kubeconfig文件中的server字段;

使用ServiceAccount连接集群

使用场景

应用部署在k8s集群内,且可以创建Service Account和进行授权等操作(RBAC)

创建SA

apiVersion:v1
kind:ServiceAccount
metadata:
name:fmuser

---
apiVersion:rbac.authorization.k8s.io/v1
kind:ClusterRole
metadata:
name:fmuser-role
rules:
-apiGroups:
[
""
]

resources:
[
"pods"
,
"namespaces"
]

verbs:
[
"get"
,
"list"
,
"watch"
]

-apiGroups:
[
""
]

resources:
[
"pods/log"
]

verbs:
[
"get"
,
"list"
,
"watch"
]

-apiGroups:
[
""
]

resources:
[
"pods"
]

verbs:
[
"delete"
]

-apiGroups:
[
""
]

resources:
[
"namespaces"
]

verbs:
[
"get"
,
"list"
,
"watch"
]


---
apiVersion:rbac.authorization.k8s.io/v1
kind:ClusterRoleBinding
metadata:
name:fmuser-rolebinding
subjects:
-kind:ServiceAccount
name:fmuser
namespace:default
roleRef:
kind:ClusterRole
name:fmuser-role
apiGroup:rbac.authorization.k8s.io
资源授权根据实际使用情况设置即可,Role(当前空间,权限较小)和ClusterRole(整个集群,权限较大)根据需要创建;在代码中使用时,不需要额外配置,客户端会从以下路径自动读取:
/home/app
# ls -l /var/run/secrets/kubernetes.io/serviceaccount/
total 0

lrwxrwxrwx 1 root root 13 Jan 22 02:55 ca.crt -> ..data/ca.crt

lrwxrwxrwx 1 root root 16 Jan 22 02:55 namespace -> ..data/namespace

lrwxrwxrwx 1 root root 12 Jan 22 02:55 token -> ..data/token

/home/app
#

所需的文件就是ca.crt和token;

如果需要在集群外验证这种认证方式,需要设置如下环境变量:
KUBERNETES_MASTER=https://191.168.7.132:6443;

KUBERNETES_AUTH_SERVICEACCOUNT_TOKEN=/opt/file/serviceaccount-token;

KUBERNETES_CERTS_CA_FILE=/opt/file/serviceaccount-ca.key;

KUBERNETES_AUTH_TRYKUBECONFIG=
false
其中serviceaccount-ca.key和serviceaccount-token对应的是上面的ca.crt和token,需要注意的是,使用这种方式,master的url中的端口是6443,而不是默认的443,需要注意;

示例代码

import
io.fabric8.kubernetes.api.model.Namespace;

import
io.fabric8.kubernetes.api.model.NamespaceList;

import
io.fabric8.kubernetes.client.KubernetesClient;

import
io.fabric8.kubernetes.client.KubernetesClientBuilder;


publicclassK8sClientWithServiceAccount
{

publicstaticvoidmain
(String[] args) {

KubernetesClientclient=newKubernetesClientBuilder
().build();

System.out.println(client.getConfiguration().getCaCertFile());

System.out.println(client.getConfiguration().getMasterUrl());

System.out.println(client.getConfiguration().getAutoOAuthToken());

NamespaceListmyNs=
client.namespaces().list();


for
(Namespace ns : myNs.getItems()) {

System.out.println(ns.getMetadata().getName());

}

client.close();

}

}

打印的值就是环境变量中设置的;

获取sa的ca.crt和token

root@tianshu-ai-platform:~
# kubectl get sa
NAME SECRETS AGE

default 1 13d

fmuser 1 7d

test
1 7d

root@tianshu-ai-platform:~
# kubectl describe sa fmuser
Name: fmuser

Namespace: default

Labels: <none>

Annotations: <none>

Image pull secrets: <none>

Mountable secrets: fmuser-token-9qb8n

Tokens: fmuser-token-9qb8n

Events: <none>

root@tianshu-ai-platform:~
# kubectl describe secret fmuser-token-9qb8n
Name: fmuser-token-9qb8n

Namespace: default

Labels: <none>

Annotations: kubernetes.io/service-account.name: fmuser

kubernetes.io/service-account.uid: 012db65a-e482-4626-ba01-fc136786c5b1


Type: kubernetes.io/service-account-token


Data

====

ca.crt: 1066 bytes

namespace: 7 bytes

token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjJ5SVZq......


root@tianshu-ai-platform:~
# kubectl get secret fmuser-token-9qb8n -o jsonpath='{.data.ca\.crt}'
LS0tLS1CRUdJTiBDRVJ....

root@tianshu-ai-platform:~
# kubectl get secret fmuser-token-9qb8n -o jsonpath='{.data.token}'
ZXlKaGJHY2lPaUpTVXpJ.....


root@tianshu-ai-platform:~
# kubectl get secret fmuser-token-9qb8n -o jsonpath='{.data.ca\.crt}' | base64 --decode
-----BEGIN CERTIFICATE-----

MIIC5zCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl

cm5ldGVzMB4XDTI0MDExNjA1NDUwMloXDTM0MDExMzA1NDUwMlowFTETMBEGA1UE

AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGw

FLPnomd41JAIw7jOVrz4Wm+7RwAZanQpOzvmR+SOZTjq5F2Lu/OXa9JhNNisJ2f1

R/MYNRDxCgeTid7iiG9s5OIS+4TFj5S36kXTYmZ51mQXohqjcZeVPgL+Vb8Jz2lS

uXPBGWwjj8ROfjWQcVE49V0DmybdPpZgjEUIxFVFcp3O7jtfl+oecRz55p4bYUrM

KsTXimmKEOcr4t1J6/DlvaXbZVCpJ28iIaDP2Z8qJT6/fg+jnevXr8QiedEsbx1i

D/FmIdBS2O+UsG9Gs+gUr2SA37UmRxelFiQQlgs/yC0/UEh8mrSkslN+Y5qlHEmI

/ntY6ZySzQhatcNEKMkCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB

/wQFMAMBAf8wHQYDVR0OBBYEFEChpxTbnR+JgB0qm/iHrmTjb+//MA0GCSqGSIb3

DQEBCwUAA4IBAQBcY+JrXiT+OHRhpFV4wdoxh4YKBGbzHNAC+d1mSoJE9K4lbK/n

7SWscW2SdIiCVwmH8VQyH1LKLGQZePuQ64yKetakCD6KCJ40IRY3MQR1lTM5K8pO

KRduy2dLxyfvMFNjjSBiDZnhd9XA1UcqTlwe6o9KAYOvBTePsalS6v7U7tzp1fBI

vtwicakxThcs5jAwb5HA/CHS3VFlAU7g3UZlFgIBvOuLAoUuxxkNIfMoYP/gPNKR

IB1wJBaCHIKcpUtzNH6ejhWIy8cGUeXAYXiL10gQdg20Nnmr3kdnXDzAipvOPspb

kGM9g4KWiXlUqwlq36btT9HHBC5shC4IzYL/

-----END CERTIFICATE-----


root@tianshu-ai-platform:~
# kubectl get secret fmuser-token-9qb8n -o jsonpath='{.data.token}' | base64 --decode
eyJhbGciOiJSUzI1NiIsImtpZCI6IjJ5SVZqUjBOLVdwbUluU2F5M....

在使用中的ca.crt和token都是base64解码过的,存储在secret中的都是经过编码的;
好了,今天的小知识你学会了吗?
链接:https://www.cnblogs.com/flowerbirds/p/17997009
(版权归原作者所有,侵删)
继续阅读
阅读原文