代码之家  ›  专栏  ›  技术社区  ›  licorna

使用python客户机在kuberentes中批准csr

kubernetes-python-client kubernetes python
  •  0
  • licorna  · 技术社区  · 5 年前

    我在kubernetes中有以下csr对象: 

    $ kubectl get csr
NAME                                     AGE       REQUESTOR                                      CONDITION
test-certificate-0.my-namespace          53m       system:serviceaccount:my-namespace:some-user   Pending

    我想使用python api客户端批准它: 

    from kuberentes import config, client
# configure session
config.load_kube_config()
# get a hold of the certs API
certs_api = client.CertificatesV1beta1Api()

# read my CSR
csr = certs_api.read_certificate_signing_request("test-certificate-0.my-namespace")

    现在, csr 对象是: 

    {'api_version': 'certificates.k8s.io/v1beta1',
 'kind': 'CertificateSigningRequest',
 'metadata': {'annotations': None,
              'cluster_name': None,
              'creation_timestamp': datetime.datetime(2019, 3, 15, 14, 36, 28, tzinfo=tzutc()),
              'deletion_grace_period_seconds': None,
              'name': 'test-certificate-0.my-namespace',
              'namespace': None,
              'owner_references': None,
              'resource_version': '4269575',
              'self_link': '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/test-certificate-0.my-namespace',
              'uid': 'b818fa4e-472f-11e9-a394-124b379b4e12'},
 'spec': {'extra': None,
          'groups': ['system:serviceaccounts',
                     'system:serviceaccounts:cloudp-38483-test01',
                     'system:authenticated'],
          'request': 'redacted',
          'uid': 'd5bfde1b-4036-11e9-a394-124b379b4e12',
          'usages': ['digital signature', 'key encipherment', 'server auth'],
          'username': 'system:serviceaccount:test-certificate-0.my-namespace'},
 'status': {'certificate': 'redacted',
            'conditions': [{'last_update_time': datetime.datetime(2019, 3, 15, 15, 13, 32, tzinfo=tzutc()),
                            'message': 'This CSR was approved by kubectl certificate approve.',
                            'reason': 'KubectlApprove',
                            'type': 'Approved'}]}}

    我想 批准 如果我用kubectl做这个证书( -v=10 将使 kubectl 输出http流量): 

    kubectl certificate approve test-certificate-0.my-namespace -v=10

    我可以看到 PUT 以前的操作 批准 我的证书: 

    PUT https://my-kubernetes-cluster.com:8443/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/test-certificate-0.my-namespace/approval

    所以我需要 /approval 证书对象的资源。现在,如何使用python kubernetes客户机呢?

    0 回复  |  直到 5 年前
        1
  •  3
  •   jaxxstorm    5 年前

    有个奇怪的名字,但是在 docs 对于python客户机-您需要 replace_certificate_signing_request_approval 

    # create an instance of the API class
api_instance = kubernetes.client.CertificatesV1beta1Api(kubernetes.client.ApiClient(configuration))
name = 'name_example' # str | name of the CertificateSigningRequest
body = kubernetes.client.V1beta1CertificateSigningRequest() # V1beta1CertificateSigningRequest | 
dry_run = 'dry_run_example' # str | When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed (optional)
pretty = 'pretty_example' # str | If 'true', then the output is pretty printed. (optional)

try: 
    api_response = api_instance.replace_certificate_signing_request_approval(name, body, dry_run=dry_run, pretty=pretty)
    pprint(api_response)
except ApiException as e:
    print("Exception when calling CertificatesV1beta1Api->replace_certificate_signing_request_approval: %s\n" % e)
        2
  •  1
  •   licorna    5 年前

    下面根据@jaxxstorm answer和我自己的调查来回答我的问题: 

    # Import required libs and configure your client
from datetime import datetime, timezone
from kubernetes import config, client
config.load_kube_config()

# this is the name of the CSR we want to Approve
name = 'my-csr'

# a reference to the API we'll use 
certs_api = client.CertificatesV1beta1Api()

# obtain the body of the CSR we want to sign
body = certs_api.read_certificate_signing_request_status(name)

# create an approval condition
approval_condition = client.V1beta1CertificateSigningRequestCondition(
    last_update_time=datetime.now(timezone.utc).astimezone(),
    message='This certificate was approved by Python Client API',
    reason='MyOwnReason',
    type='Approved')

# patch the existing `body` with the new conditions
# you might want to append the new conditions to the existing ones
body.status.conditions = [approval_condition]

# patch the Kubernetes object
response = certs_api.replace_certificate_signing_request_approval(name, body)

    之后,库贝卡将批准并颁发新证书。颁发的证书文件可以从 response 我们刚得到的目标是: 

    import base64
base64.b64decode(response.status.certificate) # this will return the decoded cert
    推荐文章
    ralonr  ·  当上下文已经设置好时,如何在K9中的上下文之间切换?
    2 年前
    Dr. Andrew  ·  kubectl运行时未创建部署
    2 年前
    Meghana B Srinath  ·  ServiceNow作为基于容器的应用程序
    2 年前
    CodeMonkey  ·  键“meta.helm.sh/release name”必须等于“x”:当前值为“y”
    2 年前
    user17377017  ·  Kubernetes nginx控制器错误日志:连接到上游时connect()失败(111:连接被拒绝),客户端:X.X.X.X,服务器:X.X.X.X
    2 年前
    Suhasini Subramaniam  ·  如何列出库伯内特斯吊舱中有CharDevice?
    2 年前
    briadeus  ·  Kubernetes活性/就绪性探测在同一集群上的不同命名空间中失败(权限被拒绝)
    2 年前
    Abhishek Rai  ·  库伯内特斯吊舱卡在集装箱内
    2 年前
    Rajan Subramanian  ·  无法让kubectl在minikube中运行flask应用程序
    2 年前
    TiDu  ·  使用EKS设置出口网关的最简单方法,无需Istio
    2 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号