Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where can i get the API_KEY in Kubernetes installation

Have been trying to get the python client for kubernetes work as expected. Had good luck with config.load_kube_config() Now i'd like to use the Python client from a remote machine which neither has kubectl nor ~/.kube/config on it. Tried the python client API reference such as this

Snippet:

from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException
from pprint import pprint

# Configure API key authorization: BearerToken
configuration = kubernetes.client.Configuration()
configuration.api_key['authorization'] = 'YOUR_API_KEY'
# Uncomment below to setup prefix (e.g. Bearer) for API key, if needed
# configuration.api_key_prefix['authorization'] = 'Bearer'

At first it seemed i need to use the default service-account-token where it says:

configuration.api_key['authorization'] = 'YOUR_API_KEY

Soon realized that is not the case after seeing a lot of [SSL: CERTIFICATE_VERIFY_FAILED]

Can someone please give a hint to where i can obtain this from my new install? Used kubeadm to bring up this cluster.

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.2", GitCommit:"5fa2db2bd46ac79e5e00a4e6ed24191080aa463b", GitTreeState:"clean", BuildDate:"2018-01-18T21:10:44Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.2", GitCommit:"5fa2db2bd46ac79e5e00a4e6ed24191080aa463b", GitTreeState:"clean", BuildDate:"2018-01-18T09:42:01Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

<--------- Edit below ---------->

Managed to get token from master using:

$ kubectl describe secret $(kubectl get secrets | grep default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t'

The above result is named ApiToken in below Python snippet.

from kubernetes import client, config
from kubernetes.client.rest import ApiException
ApiToken = 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImRlZmF1bHQtdG9rZW4tbXF0eG4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiZGVmYXVsdCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjA5NWQ3ZGVhLTA5MDgtMTFlOC04NTFiLTA4MDAyNzk0OGE2OSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmRlZmF1bHQifQ.DBk6gyh4BFy-Gc94dihasYXLbspMvMEjuzFS-AEyNUwk6pR1zsdYOqxo5J-0t6qHN09JyyNK5Oz75cR6bYOGxir1a7SveQpXly4S2Iu3K3o6n8ys_kdP4lNMgBZy--rE0h4neG9s91ven36XP4nYZMwvWal56w39nCUmkomR2-DfhaD4-_Mqq2bd7lmETNinD2hpzTa9cf46VTTY0kcIwhk8FzxEtPA3kxoZul0AfpZT2QlyzLk9fTBRPjd57XbktBgQmiO2wppa_A1KN1Kg83fk1p40hSfY4Vf7Dr76rmKgAUVae-qkN725FWj-4NqzktjyAqalli5jcHo2leJv0A'
configuration = client.Configuration()
configuration.host = 'https://192.168.0.110:6443'
configuration.verify_ssl=False
configuration.debug = True
configuration.api_key={"authorization":"Bearer "+ ApiToken}
client.Configuration.set_default(configuration)
kubeApi = client.CoreV1Api()
try:
    allPods = kubeApi.list_pod_for_all_namespaces(watch=False)
except ApiException as e:
    print("Exception when calling CoreV1Api->list_pod_for_all_namespaces: %s\n" % e)

Response is a HTTP/1.1 403 Forbidden message.

reply: 'HTTP/1.1 403 Forbidden\r\n'
2018-02-10 09:37:49,801 DEBUG https://192.168.0.110:6443 "GET /api/v1/pods?watch=False HTTP/1.1" 403 243
header: Content-Type header: X-Content-Type-Options header: Date header: Content-Length Exception when calling CoreV1Api->list_pod_for_all_namespaces: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Sat, 10 Feb 2018 04:07:46 GMT', 'Content-Length': '243'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:default:default\" cannot list pods at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}

Troubleshooting this stage now.

like image 806
papu Avatar asked Feb 08 '18 13:02

papu


2 Answers

[root@master1 ~]# APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
[root@master1 ~]# SECRET_NAME=$(kubectl get secrets | grep ^default | cut -f1 -d ' ')
[root@master1 ~]# TOKEN=$(kubectl describe secret $SECRET_NAME | grep -E '^token' | cut -f2 -d':' | tr -d " ")
[root@master1 ~]# curl $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "11.127.4.111:6443"
    }
  ]
}[root@master1 ~]# 

like image 84
Dineshkumar Ramasamy Avatar answered Nov 16 '22 11:11

Dineshkumar Ramasamy


Maybe you need token.

Can use anywhere secret in kube-system namespace:

$ kubectl get secrets -n kube-system 
$ kubectl describe secret/{secret_name} -n kube-system
like image 26
Denis Avatar answered Nov 16 '22 11:11

Denis