kubernetes Client 使用

参考连接 github: https://github.com/kubernetes-client/java/

初次使用 : 测试连接

导入kubernetes-client包

 
        
            io.kubernetes
            client-java
            17.0.0
        

由于使用gke(google cloud kubernetes)不好获取kubernetes的配置文件,且程序要在kubernetes集群内运行,所以直接使用examples 中的InClusterClientExample 的例子测试是否连通

//这里默认获取的是程序运行所在命名空间下的default账户
ApiClient client = ClientBuilder.cluster().build();


Configuration.setDefaultApiClient(client);

// the CoreV1Api loads default api-client from global configuration.
CoreV1Api api = new CoreV1Api();

// invokes the CoreV1Api client

//这里官方给的例子是listPodForAllNamespaces 
//获取所有命名空间下的pod 但是我的default这里会没有所有命名空间权限
//可以修改为api.listNamespacedPod(),namespace 填写“default”
V1PodList list =
api.listPodForAllNamespaces(null, null, null, null, null, null, null, null, null, null);
for (V1Pod item : list.getItems()) {
    System.out.println(item.getMetadata().getName());
}

代码来源 : https://github.com/kubernetes-client/java/blob/master/examples/examples-release-15/src/main/java/io/kubernetes/client/examples/InClusterClientExample.java

如上面所述,default缺少很多权限,即使将listPodForAllNamespaces()替换成listNamespacedPod() default服务账号还是会由于缺少pod访问权限 出现ApiException

提示信息如下:

Response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User "system:serviceaccount:default:default" cannot list resource "pods" in API group "" at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}

所以现在需要为服务账户 default 授予访问 Pod 资源的权限。使用 Role 和 RoleBinding 对象来授予服务账户所需的权限

编写rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: pod-reader
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

这里创建了一个role对象,拥有pod资源的get,list watch 的权限,并且创建了一个RoleBinding对象将role对象绑定到服务账号default上,从而授予它访问pod资源的权限。

使用kuberctl apply命令:

kubectl apply -f rbac.yaml

就可以通过代码读取default命名空间下的pod信息了。

完成功能 :通过代码创建job

public void createJob(String jobName,
                          String image,
                          List commend,
                          String containName,
                          Map nodeSelector,
                          Map resourceLimits,
                          Map resourceRequests) {

        ApiClient client = null;
        try {
            client = ClientBuilder.cluster().build();
        } catch (IOException e) {;
            throw new RuntimeException(e);
        }

        Configuration.setDefaultApiClient(client);
        

        V1Volume v1Volume = new V1Volume()
            .name(config.getVolumeName())
            .persistentVolumeClaim(new V1PersistentVolumeClaimVolumeSource()
                .claimName(config.getVolumeName()));

        V1VolumeMount v1VolumeMount = new V1VolumeMount();
        v1VolumeMount.setMountPath(config.getVolumeMountPath());
        v1VolumeMount.setName(config.getVolumeName());

        V1ResourceRequirements resources = new V1ResourceRequirements()
            .limits(resourceLimits)
            .requests(resourceRequests);

        V1Job job = new V1Job();
        job.setMetadata(new V1ObjectMeta().name(jobName));
        job.setSpec(new V1JobSpec()
            .backoffLimit(1)
            .template(new V1PodTemplateSpec()
                .spec(new V1PodSpec()
                    .addVolumesItem(v1Volume)
                    .addContainersItem(new V1Container()
                        .addVolumeMountsItem(v1VolumeMount)
                        .name(containName)
                        .image(image)
                        .command(commend)
                        .resources(resources))
                    .nodeSelector(nodeSelector)
                    .restartPolicy("Never"))));

        try {
            BatchV1Api batchApi = new BatchV1Api();
            V1Job createdJob = batchApi.createNamespacedJob("default", job, null, null, null,null);
            log.info("Created Job: {}" , createdJob.getMetadata().getName());
        } catch (ApiException e) {
            log.error("Kubernetes API returned an error:");
            log.error("Code: {}", e.getCode());
            log.error("Response body: {}", e.getResponseBody());
            log.error("Message: {}", e.getMessage());
            e.printStackTrace();
        }
    }

编写授权default服务账号创建job权限的rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: job-creator
rules:
- apiGroups: ["batch"]
  resources: ["jobs"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: create-jobs
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: job-creator
subjects:
- kind: ServiceAccount
  name: default
  namespace: default

运行命令 : kubectl apply -f rbac.yaml

你可能感兴趣的:(kubernetes,java,开发语言,kubernetes)