小贝子编程

通过AWS Lambda认证到K8s集群



我们使用以下内容进行身份验证:

import base64
import boto3
import string
import random
from botocore.signers import RequestSigner

class EKSAuth(object):
METHOD = 'GET'
EXPIRES = 60
EKS_HEADER = 'x-k8s-aws-id'
EKS_PREFIX = 'k8s-aws-v1.'
STS_URL = 'sts.amazonaws.com'
STS_ACTION = 'Action=GetCallerIdentity&Version=2011-06-15'
def __init__(self, cluster_id, region='us-east-1'):
self.cluster_id = cluster_id
self.region = region
def get_token(self):
"""
Return bearer token
"""
session = boto3.session.Session()
# Get ServiceID required by class RequestSigner
client = session.client("sts", region_name=self.region)
service_id = client.meta.service_model.service_id
signer = RequestSigner(
service_id,
session.region_name,
'sts',
'v4',
session.get_credentials(),
session.events
)
params = {
'method': self.METHOD,
'url': 'https://' + self.STS_URL + '/?' + self.STS_ACTION,
'body': {},
'headers': {
self.EKS_HEADER: self.cluster_id
},
'context': {}
}
signed_url = signer.generate_presigned_url(
params,
region_name=session.region_name,
expires_in=self.EXPIRES,
operation_name=''
)
return (
self.EKS_PREFIX +
base64.urlsafe_b64encode(
signed_url.encode('utf-8')
).decode('utf-8')
)

然后用

表示
KUBE_FILEPATH = '/tmp/kubeconfig'
CLUSTER_NAME = 'cluster'
REGION = 'us-east-2'
if not os.path.exists(KUBE_FILEPATH):
kube_content = dict()
# Get data from EKS API
eks_api = boto3.client('eks', region_name=REGION)
cluster_info = eks_api.describe_cluster(name=CLUSTER_NAME)
certificate = cluster_info['cluster']['certificateAuthority']['data']
endpoint = cluster_info['cluster']['endpoint']
kube_content = dict()
kube_content['apiVersion'] = 'v1'
kube_content['clusters'] = [
{
'cluster':
{
'server': endpoint,
'certificate-authority-data': certificate
},
'name': 'kubernetes'
}]
kube_content['contexts'] = [
{
'context':
{
'cluster': 'kubernetes',
'user': 'aws'
},
'name': 'aws'
}]
kube_content['current-context'] = 'aws'
kube_content['Kind'] = 'config'
kube_content['users'] = [
{
'name': 'aws',
'user': 'lambda'
}]
# Write kubeconfig
with open(KUBE_FILEPATH, 'w') as outfile:
yaml.dump(kube_content, outfile, default_flow_style=False)
# Get Token
eks = auth.EKSAuth(CLUSTER_NAME)
token = eks.get_token()
print("Token here:")
print(token)
# Configure
config.load_kube_config(KUBE_FILEPATH)
configuration = client.Configuration()
configuration.api_key['authorization'] = token
configuration.api_key_prefix['authorization'] = 'Bearer'
# API
api = client.ApiClient(configuration)
v1 = client.CoreV1Api(api)
print("THIS IS GETTING 401!!")
ret = v1.list_namespaced_pod(namespace='default')

但是,这会在Lambda中得到错误:

[ERROR] ApiException: (401) Reason: Unauthorized

是否有某种方式可以生成~/。Aws/凭据还是配置?我相信这可能就是它无法认证的原因吧?

您的EKSAuth类工作。刚和我的集群检查过了。

下面是一个可用的(更简单的)代码片段,而不是第二个。

import base64
import tempfile
import kubernetes
import boto3
from auth import EKSAuth

cluster_name = "my-cluster"
# Details from EKS
eks_client = boto3.client('eks')
eks_details = eks_client.describe_cluster(name=cluster_name)['cluster']
# Saving the CA cert to a temp file (working around the Kubernetes client limitations)
fp = tempfile.NamedTemporaryFile(delete=False)
ca_filename = fp.name
cert_bs = base64.urlsafe_b64decode(eks_details['certificateAuthority']['data'].encode('utf-8'))
fp.write(cert_bs)
fp.close()
# Token for the EKS cluster
eks_auth = EKSAuth(cluster_name)
token = eks_auth.get_token()
# Kubernetes client config
conf = kubernetes.client.Configuration()
conf.host = eks_details['endpoint']
conf.api_key['authorization'] = token
conf.api_key_prefix['authorization'] = 'Bearer'
conf.ssl_ca_cert = ca_filename
k8s_client = kubernetes.client.ApiClient(conf)
# Doing something with the client
v1 = kubernetes.client.CoreV1Api(k8s_client)
print(v1.list_pod_for_all_namespaces())

*大部分代码取自此处

并且您还必须确保您已经授予了您的lambda在weeks集群中运行的IAM角色的权限。

kubectl edit -n kube-system configmap/aws-auth

mapRoles下添加这些行。rolearn是你角色的臂膀。username是您希望在k8s集群中为该角色指定的名称。

apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
# Add this #######################################
- rolearn: arn:aws:iam::111122223333:role/myLambda-role-z71amo5y
username: my-lambda-mapped-user
####################################################

并创建clusterrolebindingrolebinding来授予该用户在集群内的权限。

kubectl create clusterrolebinding --clusterrole cluster-admin --user my-lambda-mapped-user  my-clusterrolebinding

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium