k8s-pod-pod内程序操作k8s资源(InClusterConfig)

Posted 2022-01-29 DevOperaterVita

当我们开发一个程序，需要访问k8s集群中的pod、deployment等资源时，会使用k8s.io/client-go模块，在使用这个模块时，我们要有如下几步：

1.获取config对象

clientcmd.BuildConfigFromFlags 根据config路径获取config

rest.InClusterConfig 直接使用pod中自带的token等内容

2.获取k8s client

3.使用k8s client获取k8s资源

package main

import (
    "context"
    "fmt"
    v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    "k8s.io/client-go/kubernetes"
    "k8s.io/client-go/rest"
    "k8s.io/client-go/tools/clientcmd"
    "k8s.io/client-go/util/homedir"
    "os"
    "path/filepath"
)

func main() 
    kubeConfig, err := CreateKubeConfig()
    if err != nil 
        panic(err)

    
    kubeClient, err := kubernetes.NewForConfig(kubeConfig)
    if err != nil 
        panic(err)
    
    //获取pod资源
    kubeClient.CoreV1().Pods("").List(context.Background(),v1.ListOptions)



func PathExists(path string) (bool, error) 
    _, err := os.Stat(path)
    if err == nil 
        return true, nil
    
    if os.IsNotExist(err) 
        return false, nil
    
    return false, err


func CreateKubeConfig() (*rest.Config, error) 
    kubeConfigPath := ""
    if home := homedir.HomeDir(); home != "" 
        kubeConfigPath = filepath.Join(home, ".kube", "config")
    
    fileExist, err := PathExists(kubeConfigPath)
    if err != nil 
        return nil, fmt.Errorf("justify kubeConfigPath exist err,err:%v", err)
    
    //.kube/config文件存在，就使用文件
    //这里主要是本地测试
    if fileExist 
        config, err := clientcmd.BuildConfigFromFlags("", kubeConfigPath)
        if err != nil 
            return nil, err
        
        return config, nil
     else 
        //当程序以pod方式运行时，就直接走这里的逻辑
        config, err := rest.InClusterConfig()
        if err != nil 
            return nil, err
        
        return config, nil
    

下面我们主要介绍下InClusterConfig

1.创建serviceAccount

要想操作k8s的相关资源，需要给某个serviceAccount授权

如上：我们要操作pod资源，就要创建如下资源

创建如下资源后，opPodServiceAccount这个serviceAccout就有操作pod的权限了

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: opPodClusterRole
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - list
      - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: opPodClusterRoleBinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: opPodClusterRole
subjects:
  - kind: ServiceAccount
    name: opPodServiceAccount
    namespace: default
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: opPodServiceAccount
  namespace: default

2.指定运行程序的pod使用上面的ServiceAccount

serviceAccount: live-media-watch-pod

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    operator: live-media-watch-pod
  name: live-media-watch-pod
  namespace: bixin-system
spec:
  replicas: 1
  selector:
    matchLabels:
      operator: live-media-watch-pod
  strategy:
    rollingUpdate:
      maxSurge: 100%
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        operator: live-media-watch-pod
    spec:
      containers:
        - image: ******.**.com/k8s/live-media-watch-pod:202201211654
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 10
            httpGet:
              path: healthz
              port: 8080
              scheme: HTTP
            initialDelaySeconds: 30
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 3
          name: live-media-watch-pod
          readinessProbe:
            failureThreshold: 10
            httpGet:
              path: healthz
              port: 8080
              scheme: HTTP
            initialDelaySeconds: 30
            periodSeconds: 5
            successThreshold: 1
            timeoutSeconds: 3
      serviceAccount: live-media-watch-pod

这样之后，我们查看pod的yaml，会看到pod自动就多了一