Managing Kubernetes cluster from GCP with python api
You can use a bearer token rather than using basic authentication:
from google.auth import compute_engine
from google.cloud.container_v1 import ClusterManagerClient
from kubernetes import client
def test_gke(request):
project_id = "my-gcp-project"
zone = "my-zone"
cluster_id = "my-existing-cluster"
credentials = compute_engine.Credentials()
cluster_manager_client = ClusterManagerClient(credentials=credentials)
cluster = cluster_manager_client.get_cluster(name=f'projects/{project_id}/locations/{zone}/clusters/{cluster_id}')
configuration = client.Configuration()
configuration.host = f"https://{cluster.endpoint}:443"
configuration.verify_ssl = False
configuration.api_key = {"authorization": "Bearer " + credentials.token}
client.Configuration.set_default(configuration)
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
pods = v1.list_pod_for_all_namespaces(watch=False)
for i in pods.items:
print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))
Here's an example using a GCP service account to generate a bearer token.
Note that you should make sure you enable SSL verification when you connect to your cluster, otherwise you're vulnerable to man in the middle attacks. GKE does this based on its own certificate for the cluster that you need to configure manually.
import base64
import google.auth.transport.requests
from google.oauth2 import service_account
from google.cloud.container_v1 import ClusterManagerClient
from kubernetes import client
from python_hosts.hosts import Hosts, HostsEntry
def test_gke(request):
project_id = "my-gcp-project"
zone = "my-zone"
cluster_id = "my-existing-cluster"
# Use a service account configured in GCP console,
# authenticating with a JSON key
credentials = service_account.Credentials \
.from_service_account_file('gcloud_key.json')
# Get cluster details
cluster_manager_client = ClusterManagerClient(credentials=credentials)
cluster = cluster_manager_client.get_cluster(
project_id=project_id, zone=zone,
cluster_id=cluster_id)
# Save cluster certificate for SSL verification
cert = base64.b64decode(cluster.master_auth.cluster_ca_certificate)
cert_filename = 'cluster_ca_cert'
cert_file = open(cert_filename, 'wb')
cert_file.write(cert)
cert_file.close()
# Configure hostname for SSL verification
hosts = Hosts()
hosts.add([HostsEntry(
entry_type='ipv4',
address=cluster.endpoint, names=['kubernetes'])])
hosts.write()
# Get a token with the scopes required by GKE
kubeconfig_creds = credentials.with_scopes(
['https://www.googleapis.com/auth/cloud-platform',
'https://www.googleapis.com/auth/userinfo.email'])
auth_req = google.auth.transport.requests.Request()
kubeconfig_creds.refresh(auth_req)
configuration = client.Configuration()
configuration.host = "https://kubernetes"
configuration.ssl_ca_cert = cert_filename
kubeconfig_creds.apply(configuration.api_key)
client.Configuration.set_default(configuration)
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
pods = v1.list_pod_for_all_namespaces(watch=False)
for i in pods.items:
print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))
Here's a list of the Python libraries for this as well (their pip project names):
- kubernetes
- google-api-python-client
- google-cloud-container
- python-hosts
You can use google.oauth2 package for authentication using GCP Service Account.
from google.oauth2 import service_account
from google.cloud.container_v1 import ClusterManagerClient
from kubernetes import client, config
import os
def test_gke(project_id, zone, cluster_id):
SCOPES = ['https://www.googleapis.com/auth/cloud-platform']
credentials = service_account.Credentials.from_service_account_file(os.getenv('GOOGLE_APPLICATION_CREDENTIALS'), scopes=SCOPES)
cluster_manager_client = ClusterManagerClient(credentials=credentials)
cluster = cluster_manager_client.get_cluster(project_id, zone, cluster_id)
configuration = client.Configuration()
configuration.host = "https://"+cluster.endpoint+":443"
configuration.verify_ssl = False
configuration.api_key = {"authorization": "Bearer " + credentials.token}
client.Configuration.set_default(configuration)
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
pods = v1.list_pod_for_all_namespaces(watch=False)
for i in pods.items:
print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))
Refer the link below to know more about GCP Authorized API calls https://developers.google.com/identity/protocols/OAuth2ServiceAccount