运行 使用 python api 托管在 EKS 集群上的 Airflow 中的 k8s 命令
Run k8s commands within Airflow hosted on an EKS cluster using the python api
我目前在 EKS 集群上托管了一个 Airflow 部署,并希望它 运行 一份报告,该报告将检查另一个部署的日志记录,并在发生任何错误时提醒我。
在本地我可以运行这没有问题,因为我可以将 k8s python api 指向我的 kubeconfig,但是一旦部署就不起作用了不是 pod 上带有 kubeconfig 的 $Home/.kube 目录。
with client.ApiClient(config.load_kube_config(config_file=k8s_config_file)) as api_client:
api_instance = client.CoreV1Api(api_client)
我试过删除 load_kube_config 命令,但这只会引发连接被拒绝的错误,大概是因为它现在不知道任何集群,尽管它驻留在一个...
我认为将 kubeconfig 放在部署中不是一个好的做法。
如何让气流使用其托管的集群的 kubeconfig?
还是我缺少其他选择...
回答问题中的一些疑虑:
I've tried removing the load_kube_config command, however this just throws a connection refused error, presumably because it now doesn't know about any cluster, although it resides in one...
要 运行 集群内的代码(来自 Pod),您需要切换:
- 来自:
config.load_kube_config()
- 至:
config.load_incluster_config()
请阅读下文,因为我解决了集群内 运行 Kubernetes Python API 库代码所需的其余设置。
How can I get airflow to use the kubeconfig of the cluster it's hosted on? Or is there an alternative I'm missing...
其实有一个解决方案是你遗漏的:
您需要使用具有适当 Roles 和 RoleBindings 的 ServiceAccount。
让我再解释一下,并添加一个示例:
解释:
要运行我上面描述的设置,你需要参考以下Kubernetes文档:
- Kubernetes.io: Docs: Tasks: Configure pod container: Configure service account - 对于
ServiceAccount
- Kubernetes.io: Docs: Reference: Access authn authz: RBAC - 对于
Role 和 RoleBinding
如官方文档所述:
When you (a human) access the cluster (for example, using kubectl), you are authenticated by the apiserver as a particular User Account. Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example, default).
您需要使用 Roles 和 RoleBidings 为您的 ServiceAccount 添加权限,以允许它查询 Kubernetes API 服务器。例如,您需要添加权限以列出 Pods.
示例:
我已经在 Serverfault 上回答了相当长的类似案例。我鼓励您检查一下:
我允许自己复制和更改此答案的某些部分:
Create a ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
name: python-job-sa
This ServiceAccount will be used with the Deployment/Pod that will host your Python code.
Assign specific permissions to your ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: python-job-role
rules:
# This will give you access to pods
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
# This will give you access to pods logs
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
This is a Role that allows to query the Kubernetes API for the resources like > Pods.
Bind your Role to a ServiceAccount
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: python-job-rolebinding
namespace: default
subjects:
- kind: ServiceAccount
name: python-job-sa
namespace: default
roleRef:
kind: Role
name: python-job-role
apiGroup: rbac.authorization.k8s.io
应用这些规则后,您可以在 Deployment 清单(在 .spec.template.spec 中)中使用 serviceAccount: python-job-sa 并查询 Kubernetes API,如下所示:
from kubernetes import client, config
config.load_incluster_config() # <-- IMPORTANT
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_namespaced_pod("default")
for i in ret.items:
print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))
输出:
Listing pods with their IPs:
10.88.0.12 default nginx-deployment-d6bcfb88d-q8s8s
10.88.0.13 default nginx-deployment-d6bcfb88d-zbdm6
10.88.0.11 default cloud-sdk
其他资源:
我目前在 EKS 集群上托管了一个 Airflow 部署,并希望它 运行 一份报告,该报告将检查另一个部署的日志记录,并在发生任何错误时提醒我。
在本地我可以运行这没有问题,因为我可以将 k8s python api 指向我的 kubeconfig,但是一旦部署就不起作用了不是 pod 上带有 kubeconfig 的 $Home/.kube 目录。
with client.ApiClient(config.load_kube_config(config_file=k8s_config_file)) as api_client:
api_instance = client.CoreV1Api(api_client)
我试过删除 load_kube_config 命令,但这只会引发连接被拒绝的错误,大概是因为它现在不知道任何集群,尽管它驻留在一个...
我认为将 kubeconfig 放在部署中不是一个好的做法。
如何让气流使用其托管的集群的 kubeconfig? 还是我缺少其他选择...
回答问题中的一些疑虑:
I've tried removing the load_kube_config command, however this just throws a connection refused error, presumably because it now doesn't know about any cluster, although it resides in one...
要 运行 集群内的代码(来自 Pod),您需要切换:
- 来自:
config.load_kube_config() - 至:
config.load_incluster_config()
请阅读下文,因为我解决了集群内 运行 Kubernetes Python API 库代码所需的其余设置。
How can I get airflow to use the kubeconfig of the cluster it's hosted on? Or is there an alternative I'm missing...
其实有一个解决方案是你遗漏的:
您需要使用具有适当 Roles 和 RoleBindings 的 ServiceAccount。
让我再解释一下,并添加一个示例:
解释:
要运行我上面描述的设置,你需要参考以下Kubernetes文档:
- Kubernetes.io: Docs: Tasks: Configure pod container: Configure service account - 对于
ServiceAccount - Kubernetes.io: Docs: Reference: Access authn authz: RBAC - 对于
Role和RoleBinding
如官方文档所述:
When you (a human) access the cluster (for example, using
kubectl), you are authenticated by the apiserver as a particular User Account. Processes in containers inside pods can also contact the apiserver. When they do, they are authenticated as a particular Service Account (for example, default).
您需要使用 Roles 和 RoleBidings 为您的 ServiceAccount 添加权限,以允许它查询 Kubernetes API 服务器。例如,您需要添加权限以列出 Pods.
示例:
我已经在 Serverfault 上回答了相当长的类似案例。我鼓励您检查一下:
我允许自己复制和更改此答案的某些部分:
Create a
ServiceAccountapiVersion: v1 kind: ServiceAccount metadata: name: python-job-saThis
ServiceAccountwill be used with theDeployment/Podthat will host your Python code.Assign specific permissions to your
ServiceAccountapiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: default name: python-job-role rules: # This will give you access to pods - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] # This will give you access to pods logs - apiGroups: [""] resources: ["pods/log"] verbs: ["get", "list", "watch"]This is a
Rolethat allows to query the Kubernetes API for the resources like >Pods.Bind your
Roleto aServiceAccountapiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: python-job-rolebinding namespace: default subjects: - kind: ServiceAccount name: python-job-sa namespace: default roleRef: kind: Role name: python-job-role apiGroup: rbac.authorization.k8s.io
应用这些规则后,您可以在 Deployment 清单(在 .spec.template.spec 中)中使用 serviceAccount: python-job-sa 并查询 Kubernetes API,如下所示:
from kubernetes import client, config
config.load_incluster_config() # <-- IMPORTANT
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_namespaced_pod("default")
for i in ret.items:
print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))
输出:
Listing pods with their IPs:
10.88.0.12 default nginx-deployment-d6bcfb88d-q8s8s
10.88.0.13 default nginx-deployment-d6bcfb88d-zbdm6
10.88.0.11 default cloud-sdk
其他资源: