lic*_*rna 5 python kubernetes kubernetes-python-client
我在 Kubernetes 中有以下 CSR 对象:
$ kubectl get csr
NAME AGE REQUESTOR CONDITION
test-certificate-0.my-namespace 53m system:serviceaccount:my-namespace:some-user Pending
我想使用 Python API 客户端批准它:
$ kubectl get csr
NAME AGE REQUESTOR CONDITION
test-certificate-0.my-namespace 53m system:serviceaccount:my-namespace:some-user Pending
现在,csr对象的内容是:
{'api_version': 'certificates.k8s.io/v1beta1',
'kind': 'CertificateSigningRequest',
'metadata': {'annotations': None,
'cluster_name': None,
'creation_timestamp': datetime.datetime(2019, 3, 15, 14, 36, 28, tzinfo=tzutc()),
'deletion_grace_period_seconds': None,
'name': 'test-certificate-0.my-namespace',
'namespace': None,
'owner_references': None,
'resource_version': '4269575',
'self_link': '/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/test-certificate-0.my-namespace',
'uid': 'b818fa4e-472f-11e9-a394-124b379b4e12'},
'spec': {'extra': None,
'groups': ['system:serviceaccounts',
'system:serviceaccounts:cloudp-38483-test01',
'system:authenticated'],
'request': 'redacted',
'uid': 'd5bfde1b-4036-11e9-a394-124b379b4e12',
'usages': ['digital signature', 'key encipherment', 'server auth'],
'username': 'system:serviceaccount:test-certificate-0.my-namespace'},
'status': {'certificate': 'redacted',
'conditions': [{'last_update_time': datetime.datetime(2019, 3, 15, 15, 13, 32, tzinfo=tzutc()),
'message': 'This CSR was approved by kubectl certificate approve.',
'reason': 'KubectlApprove',
'type': 'Approved'}]}}
我想以编程方式批准此证书,如果我使用 kubectl 来完成它(-v=10将使kubectl输出 http 流量):
kubectl certificate approve test-certificate-0.my-namespace -v=10
我可以看到PUT用于批准我的证书的操作:
PUT https://my-kubernetes-cluster.com:8443/apis/certificates.k8s.io/v1beta1/certificatesigningrequests/test-certificate-0.my-namespace/approval
所以我需要到证书对象PUT的/approval资源。现在,我该如何使用 Python Kubernetes 客户端呢?
以下是根据 @jaxxstorm 的回答和我自己的调查来回答我的问题:
# Import required libs and configure your client
from datetime import datetime, timezone
from kubernetes import config, client
config.load_kube_config()
# this is the name of the CSR we want to Approve
name = 'my-csr'
# a reference to the API we'll use
certs_api = client.CertificatesV1beta1Api()
# obtain the body of the CSR we want to sign
body = certs_api.read_certificate_signing_request_status(name)
# create an approval condition
approval_condition = client.V1beta1CertificateSigningRequestCondition(
last_update_time=datetime.now(timezone.utc).astimezone(),
message='This certificate was approved by Python Client API',
reason='MyOwnReason',
type='Approved')
# patch the existing `body` with the new conditions
# you might want to append the new conditions to the existing ones
body.status.conditions = [approval_condition]
# patch the Kubernetes object
response = certs_api.replace_certificate_signing_request_approval(name, body)
之后,KubeCA 将批准并颁发新证书。颁发的证书文件可以从我们刚刚得到的对象中获取response:
import base64
base64.b64decode(response.status.certificate) # this will return the decoded cert
| 归档时间: |
|
| 查看次数: |
580 次 |
| 最近记录: |