Java实现连接kubernates集群的两种方式详解
作者:风雨咒之无上密籍
这篇文章主要为大家详细介绍了Java实现连接kubernates集群的两种方式,文中的示例代码讲解详细,感兴趣的小伙伴可以跟随小编一起学习一下
创建maven工程,pom.xml中引入连接k8s的客户端jar包:
<properties>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<fabric.io.version>6.10.0</fabric.io.version>
</properties>
<dependencies>
<dependency>
<groupId>io.fabric8</groupId>
<artifactId>kubernetes-client</artifactId>
<version>${fabric.io.version}</version>
</dependency>
</dependencies>
目标:使用尽可能少的配置项来完成初始化工作,保证后续部署工作量最小
使用kubeconfig文件连接集群
使用场景
可以获取集群的kubeconfig文件
环境变量配置
默认配置项:
KUBECONFIG=~/.kube/config
自定义配置:
KUBECONFIG=/opt/file/kubeconfig
示例代码
import io.fabric8.kubernetes.api.model.Namespace;
import io.fabric8.kubernetes.api.model.NamespaceList;
import io.fabric8.kubernetes.client.KubernetesClient;
import io.fabric8.kubernetes.client.KubernetesClientBuilder;
public class K8sClientWithKubeConfig {
public static void main(String[] args) {
KubernetesClient client = new KubernetesClientBuilder().build();
System.out.println(client.getMasterUrl());
NamespaceList myNs = client.namespaces().list();
for (Namespace ns : myNs.getItems()) {
System.out.println(ns.getMetadata().getName());
}
client.close();
}
}
其中master url为kubeconfig文件中的server字段;
使用ServiceAccount连接集群
使用场景
应用部署在k8s集群内,且可以创建Service Account和进行授权等操作(RBAC)
创建SA
apiVersion: v1 kind: ServiceAccount metadata: name: fmuser --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: fmuser-role rules: - apiGroups: [""] resources: ["pods", "namespaces"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["pods/log"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["pods"] verbs: ["delete"] - apiGroups: [""] resources: ["namespaces"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: fmuser-rolebinding subjects: - kind: ServiceAccount name: fmuser namespace: default roleRef: kind: ClusterRole name: fmuser-role apiGroup: rbac.authorization.k8s.io
资源授权根据实际使用情况设置即可,Role(当前空间,权限较小)和ClusterRole(整个集群,权限较大)根据需要创建;在代码中使用时,不需要额外配置,客户端会从以下路径自动读取:
/home/app # ls -l /var/run/secrets/kubernetes.io/serviceaccount/ total 0 lrwxrwxrwx 1 root root 13 Jan 22 02:55 ca.crt -> ..data/ca.crt lrwxrwxrwx 1 root root 16 Jan 22 02:55 namespace -> ..data/namespace lrwxrwxrwx 1 root root 12 Jan 22 02:55 token -> ..data/token /home/app #
所需的文件就是ca.crt和token;
如果需要在集群外验证这种认证方式,需要设置如下环境变量:
KUBERNETES_MASTER=https://191.168.7.132:6443; KUBERNETES_AUTH_SERVICEACCOUNT_TOKEN=/opt/file/serviceaccount-token; KUBERNETES_CERTS_CA_FILE=/opt/file/serviceaccount-ca.key; KUBERNETES_AUTH_TRYKUBECONFIG=false
其中serviceaccount-ca.key和serviceaccount-token对应的是上面的ca.crt和token,需要注意的是,使用这种方式,master的url中的端口是6443,而不是默认的443,需要注意;
示例代码
import io.fabric8.kubernetes.api.model.Namespace;
import io.fabric8.kubernetes.api.model.NamespaceList;
import io.fabric8.kubernetes.client.KubernetesClient;
import io.fabric8.kubernetes.client.KubernetesClientBuilder;
public class K8sClientWithServiceAccount {
public static void main(String[] args) {
KubernetesClient client = new KubernetesClientBuilder().build();
System.out.println(client.getConfiguration().getCaCertFile());
System.out.println(client.getConfiguration().getMasterUrl());
System.out.println(client.getConfiguration().getAutoOAuthToken());
NamespaceList myNs = client.namespaces().list();
for (Namespace ns : myNs.getItems()) {
System.out.println(ns.getMetadata().getName());
}
client.close();
}
}
打印的值就是环境变量中设置的;
获取sa的ca.crt和token
root@tianshu-ai-platform:~# kubectl get sa
NAME SECRETS AGE
default 1 13d
fmuser 1 7d
test 1 7d
root@tianshu-ai-platform:~# kubectl describe sa fmuser
Name: fmuser
Namespace: default
Labels: <none>
Annotations: <none>
Image pull secrets: <none>
Mountable secrets: fmuser-token-9qb8n
Tokens: fmuser-token-9qb8n
Events: <none>
root@tianshu-ai-platform:~# kubectl describe secret fmuser-token-9qb8n
Name: fmuser-token-9qb8n
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: fmuser
kubernetes.io/service-account.uid: 012db65a-e482-4626-ba01-fc136786c5b1
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1066 bytes
namespace: 7 bytes
token: eyJhbGciOiJSUzI1NiIsImtpZCI6IjJ5SVZq......
root@tianshu-ai-platform:~# kubectl get secret fmuser-token-9qb8n -o jsonpath='{.data.ca\.crt}'
LS0tLS1CRUdJTiBDRVJ....
root@tianshu-ai-platform:~# kubectl get secret fmuser-token-9qb8n -o jsonpath='{.data.token}'
ZXlKaGJHY2lPaUpTVXpJ.....
root@tianshu-ai-platform:~# kubectl get secret fmuser-token-9qb8n -o jsonpath='{.data.ca\.crt}' | base64 --decode
-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTI0MDExNjA1NDUwMloXDTM0MDExMzA1NDUwMlowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGw
FLPnomd41JAIw7jOVrz4Wm+7RwAZanQpOzvmR+SOZTjq5F2Lu/OXa9JhNNisJ2f1
R/MYNRDxCgeTid7iiG9s5OIS+4TFj5S36kXTYmZ51mQXohqjcZeVPgL+Vb8Jz2lS
uXPBGWwjj8ROfjWQcVE49V0DmybdPpZgjEUIxFVFcp3O7jtfl+oecRz55p4bYUrM
KsTXimmKEOcr4t1J6/DlvaXbZVCpJ28iIaDP2Z8qJT6/fg+jnevXr8QiedEsbx1i
D/FmIdBS2O+UsG9Gs+gUr2SA37UmRxelFiQQlgs/yC0/UEh8mrSkslN+Y5qlHEmI
/ntY6ZySzQhatcNEKMkCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFEChpxTbnR+JgB0qm/iHrmTjb+//MA0GCSqGSIb3
DQEBCwUAA4IBAQBcY+JrXiT+OHRhpFV4wdoxh4YKBGbzHNAC+d1mSoJE9K4lbK/n
7SWscW2SdIiCVwmH8VQyH1LKLGQZePuQ64yKetakCD6KCJ40IRY3MQR1lTM5K8pO
KRduy2dLxyfvMFNjjSBiDZnhd9XA1UcqTlwe6o9KAYOvBTePsalS6v7U7tzp1fBI
vtwicakxThcs5jAwb5HA/CHS3VFlAU7g3UZlFgIBvOuLAoUuxxkNIfMoYP/gPNKR
IB1wJBaCHIKcpUtzNH6ejhWIy8cGUeXAYXiL10gQdg20Nnmr3kdnXDzAipvOPspb
kGM9g4KWiXlUqwlq36btT9HHBC5shC4IzYL/
-----END CERTIFICATE-----
root@tianshu-ai-platform:~# kubectl get secret fmuser-token-9qb8n -o jsonpath='{.data.token}' | base64 --decode
eyJhbGciOiJSUzI1NiIsImtpZCI6IjJ5SVZqUjBOLVdwbUluU2F5M....
在使用中的ca.crt和token都是base64解码过的,存储在secret中的都是经过编码的;
到此这篇关于Java实现连接kubernates集群的两种方式详解的文章就介绍到这了,更多相关Java连接kubernates集群内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!