1

my lisNamespaces.py file

from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException

configuration = kubernetes.client.Configuration()
configuration.ssl_ca_cert = 'LS0XXXXXXXXXS0tLQo='
configuration.api_key['authorization'] = 'ZXXXXXXXXXXdw=='
configuration.api_key_prefix['authorization'] = 'Bearer'
configuration.host = 'https://aaaaaaaaaaaaaaa.gr7.us-east-1.eks.amazonaws.com'
#configuration.verify_ssl = False


api_instance = kubernetes.client.CoreV1Api(kubernetes.client.ApiClient(configuration))
api_response = api_instance.list_namespace()
for i in api_response.items:
    print(i.metadata.name)

For ssl_ca_cert value i did kubectl edit secret nameofsa-token-xyze -n default and used ca.crt value. user has cluster level admin permissions

For bearer token i have used same user TOKEN.

If i disable ssl verification by setting configuration.verify_ssl = False my code works fine but with an warining.

i want to know what mistake i am doing here in passing ssl_ca_cert. please help me with this.

Improve this question

2 Answers 2

Reset to default
4

Mistake i did was to pass data of ca.crt which i got from kubectl edit secret nameofsa-token-xyze -n default directly to configuration.ssl_ca_cert in the code.

Instead what should be done is to decode the data using base64 --decode, which i got from above command(kubectl edit secret nameofsa-token-xyze -n default), this is how i did it.

kubectl get secrets default-token-nqkdv -n default -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt.

Then i need to pass the path of ca.crt file in the code, so final code look like below

from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException

configuration = kubernetes.client.Configuration()
configuration.ssl_ca_cert = 'ca.crt'
configuration.api_key['authorization'] = 'ZXXXXXXXXXXdw=='
configuration.api_key_prefix['authorization'] = 'Bearer'
configuration.host = 'https://aaaaaaaaaaaaaaa.gr7.us-east-1.eks.amazonaws.com'

api_instance = kubernetes.client.CoreV1Api(kubernetes.client.ApiClient(configuration))
api_response = api_instance.list_namespace()
for i in api_response.items:
    print(i.metadata.name)
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You can test the token with basic request:

import requests

with open('/path/to/token', 'r') as token_file:
    token=token_file.read()

url = 'https://my-kubernetes-cluster'

headers = {"Authorization":"Bearer "+token}

r = requests.get(url, verify='/path/to/ca_chain.crt', headers=headers)

for line in r.iter_lines():
    print line

If the request goes through you can test this code:

from kubernetes import client
from kubernetes.client import Configuration, ApiClient
config = Configuration()
config.api_key = {'authorization': 'Bearer <api_key>'}
config.host = 'https://my-kubernetes-cluster'
config.ssl_ca_cert = "/path/to/ca_chain.crt"

api_client = ApiClient(configuration=config)
v1 = client.CoreV1Api(api_client)

v1.list_pod_for_all_namespaces(watch=False)

Try and let me know if it works for you.

Improve this answer

2 Comments

problem got solved, i need to decode that ca.crt data to base64 --decode and save it to ca.crt file then i need to use that path at configuration.ssl_ca_cert = /path/to/the/ca.crt.
please check my answer for detail description, Thanks for your effort.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.