Managing Kubernetes cluster from GCP with python api

You can use a bearer token rather than using basic authentication:

from google.auth import compute_engine
from google.cloud.container_v1 import ClusterManagerClient
from kubernetes import client


def test_gke(request):
    project_id = "my-gcp-project"
    zone = "my-zone"
    cluster_id = "my-existing-cluster"

    credentials = compute_engine.Credentials()

    cluster_manager_client = ClusterManagerClient(credentials=credentials)
    cluster = cluster_manager_client.get_cluster(name=f'projects/{project_id}/locations/{zone}/clusters/{cluster_id}')

    configuration = client.Configuration()
    configuration.host = f"https://{cluster.endpoint}:443"
    configuration.verify_ssl = False
    configuration.api_key = {"authorization": "Bearer " + credentials.token}
    client.Configuration.set_default(configuration)

    v1 = client.CoreV1Api()
    print("Listing pods with their IPs:")
    pods = v1.list_pod_for_all_namespaces(watch=False)
    for i in pods.items:
        print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))

Here's an example using a GCP service account to generate a bearer token.

Note that you should make sure you enable SSL verification when you connect to your cluster, otherwise you're vulnerable to man in the middle attacks. GKE does this based on its own certificate for the cluster that you need to configure manually.

import base64
import google.auth.transport.requests
from google.oauth2 import service_account
from google.cloud.container_v1 import ClusterManagerClient
from kubernetes import client
from python_hosts.hosts import Hosts, HostsEntry


def test_gke(request):
    project_id = "my-gcp-project"
    zone = "my-zone"
    cluster_id = "my-existing-cluster"

    # Use a service account configured in GCP console,
    # authenticating with a JSON key
    credentials = service_account.Credentials \
        .from_service_account_file('gcloud_key.json')

    # Get cluster details
    cluster_manager_client = ClusterManagerClient(credentials=credentials)
    cluster = cluster_manager_client.get_cluster(
            project_id=project_id, zone=zone,
            cluster_id=cluster_id)

    # Save cluster certificate for SSL verification
    cert = base64.b64decode(cluster.master_auth.cluster_ca_certificate)
    cert_filename = 'cluster_ca_cert'
    cert_file = open(cert_filename, 'wb')
    cert_file.write(cert)
    cert_file.close()

    # Configure hostname for SSL verification
    hosts = Hosts()
    hosts.add([HostsEntry(
            entry_type='ipv4',
            address=cluster.endpoint, names=['kubernetes'])])
    hosts.write()

    # Get a token with the scopes required by GKE
    kubeconfig_creds = credentials.with_scopes(
            ['https://www.googleapis.com/auth/cloud-platform',
             'https://www.googleapis.com/auth/userinfo.email'])
    auth_req = google.auth.transport.requests.Request()
    kubeconfig_creds.refresh(auth_req)

    configuration = client.Configuration()
    configuration.host = "https://kubernetes"
    configuration.ssl_ca_cert = cert_filename
    kubeconfig_creds.apply(configuration.api_key)
    client.Configuration.set_default(configuration)

    v1 = client.CoreV1Api()
    print("Listing pods with their IPs:")
    pods = v1.list_pod_for_all_namespaces(watch=False)
    for i in pods.items:
        print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))

Here's a list of the Python libraries for this as well (their pip project names):

  • kubernetes
  • google-api-python-client
  • google-cloud-container
  • python-hosts

You can use google.oauth2 package for authentication using GCP Service Account.

from google.oauth2 import service_account
from google.cloud.container_v1 import ClusterManagerClient
from kubernetes import client, config
import os

def test_gke(project_id, zone, cluster_id):
    SCOPES = ['https://www.googleapis.com/auth/cloud-platform']
    credentials = service_account.Credentials.from_service_account_file(os.getenv('GOOGLE_APPLICATION_CREDENTIALS'), scopes=SCOPES)
    cluster_manager_client = ClusterManagerClient(credentials=credentials)
    cluster = cluster_manager_client.get_cluster(project_id, zone, cluster_id)
    configuration = client.Configuration()
    configuration.host = "https://"+cluster.endpoint+":443"
    configuration.verify_ssl = False
    configuration.api_key = {"authorization": "Bearer " + credentials.token}
    client.Configuration.set_default(configuration)

    v1 = client.CoreV1Api()
    print("Listing pods with their IPs:")
    pods = v1.list_pod_for_all_namespaces(watch=False)
    for i in pods.items:
        print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))

Refer the link below to know more about GCP Authorized API calls https://developers.google.com/identity/protocols/OAuth2ServiceAccount

Tags:

Python 3.X

Google Cloud Platform

Kubernetes

Google Kubernetes Engine

Google Cloud Functions

Recent Posts