Java實(shí)現(xiàn)連接kubernates集群的兩種方式詳解

更新時(shí)間：2024年01月31日 08:08:53 作者：風(fēng)雨咒之無(wú)上密籍

這篇文章主要為大家詳細(xì)介紹了Java實(shí)現(xiàn)連接kubernates集群的兩種方式,文中的示例代碼講解詳細(xì),感興趣的小伙伴可以跟隨小編一起學(xué)習(xí)一下

<properties>
  <maven.compiler.source>8</maven.compiler.source>
  <maven.compiler.target>8</maven.compiler.target>
  <fabric.io.version>6.10.0</fabric.io.version>
</properties>

<dependencies>
  <dependency>
    <groupId>io.fabric8</groupId>
    <artifactId>kubernetes-client</artifactId>
    <version>${fabric.io.version}</version>
  </dependency>
</dependencies>

目標(biāo)：使用盡可能少的配置項(xiàng)來(lái)完成初始化工作，保證后續(xù)部署工作量最小

使用kubeconfig文件連接集群

使用場(chǎng)景

可以獲取集群的kubeconfig文件

環(huán)境變量配置

默認(rèn)配置項(xiàng)：

KUBECONFIG=~/.kube/config

自定義配置：

KUBECONFIG=/opt/file/kubeconfig

示例代碼

import io.fabric8.kubernetes.api.model.Namespace;
import io.fabric8.kubernetes.api.model.NamespaceList;
import io.fabric8.kubernetes.client.KubernetesClient;
import io.fabric8.kubernetes.client.KubernetesClientBuilder;

public class K8sClientWithKubeConfig {
    public static void main(String[] args) {
        KubernetesClient client = new KubernetesClientBuilder().build();
        System.out.println(client.getMasterUrl());
        NamespaceList myNs = client.namespaces().list();

        for (Namespace ns : myNs.getItems()) {
            System.out.println(ns.getMetadata().getName());
        }
        client.close();
    }
}

其中master url為kubeconfig文件中的server字段；

使用ServiceAccount連接集群

使用場(chǎng)景

應(yīng)用部署在k8s集群內(nèi)，且可以創(chuàng)建Service Account和進(jìn)行授權(quán)等操作（RBAC）

創(chuàng)建SA

apiVersion: v1
kind: ServiceAccount
metadata:
 name: fmuser

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 name: fmuser-role
rules:
 - apiGroups: [""]
   resources: ["pods", "namespaces"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["pods/log"]
   verbs: ["get", "list", "watch"]
 - apiGroups: [""]
   resources: ["pods"]
   verbs: ["delete"]
 - apiGroups: [""]
   resources: ["namespaces"]
   verbs: ["get", "list", "watch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 name: fmuser-rolebinding
subjects:
 - kind: ServiceAccount
   name: fmuser
   namespace: default
roleRef:
 kind: ClusterRole
 name: fmuser-role
 apiGroup: rbac.authorization.k8s.io

資源授權(quán)根據(jù)實(shí)際使用情況設(shè)置即可，Role（當(dāng)前空間，權(quán)限較小）和ClusterRole（整個(gè)集群，權(quán)限較大）根據(jù)需要?jiǎng)?chuàng)建；在代碼中使用時(shí)，不需要額外配置，客戶(hù)端會(huì)從以下路徑自動(dòng)讀?。?/p>

/home/app # ls -l /var/run/secrets/kubernetes.io/serviceaccount/
total 0
lrwxrwxrwx    1 root     root            13 Jan 22 02:55 ca.crt -> ..data/ca.crt
lrwxrwxrwx    1 root     root            16 Jan 22 02:55 namespace -> ..data/namespace
lrwxrwxrwx    1 root     root            12 Jan 22 02:55 token -> ..data/token
/home/app #

所需的文件就是ca.crt和token；

如果需要在集群外驗(yàn)證這種認(rèn)證方式，需要設(shè)置如下環(huán)境變量：

KUBERNETES_MASTER=https://191.168.7.132:6443;
KUBERNETES_AUTH_SERVICEACCOUNT_TOKEN=/opt/file/serviceaccount-token;
KUBERNETES_CERTS_CA_FILE=/opt/file/serviceaccount-ca.key;
KUBERNETES_AUTH_TRYKUBECONFIG=false

其中serviceaccount-ca.key和serviceaccount-token對(duì)應(yīng)的是上面的ca.crt和token，需要注意的是，使用這種方式，master的url中的端口是6443，而不是默認(rèn)的443，需要注意；

示例代碼

import io.fabric8.kubernetes.api.model.Namespace;
import io.fabric8.kubernetes.api.model.NamespaceList;
import io.fabric8.kubernetes.client.KubernetesClient;
import io.fabric8.kubernetes.client.KubernetesClientBuilder;

public class K8sClientWithServiceAccount {
    public static void main(String[] args) {
        KubernetesClient client = new KubernetesClientBuilder().build();
        System.out.println(client.getConfiguration().getCaCertFile());
        System.out.println(client.getConfiguration().getMasterUrl());
        System.out.println(client.getConfiguration().getAutoOAuthToken());
        NamespaceList myNs = client.namespaces().list();

        for (Namespace ns : myNs.getItems()) {
            System.out.println(ns.getMetadata().getName());
        }
        client.close();
    }
}

打印的值就是環(huán)境變量中設(shè)置的；

獲取sa的ca.crt和token

root@tianshu-ai-platform:~# kubectl get sa
NAME      SECRETS   AGE
default   1         13d
fmuser    1         7d
test      1         7d
root@tianshu-ai-platform:~# kubectl describe sa fmuser
Name:                fmuser
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   fmuser-token-9qb8n
Tokens:              fmuser-token-9qb8n
Events:              <none>
root@tianshu-ai-platform:~# kubectl describe secret fmuser-token-9qb8n
Name:         fmuser-token-9qb8n
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: fmuser
              kubernetes.io/service-account.uid: 012db65a-e482-4626-ba01-fc136786c5b1

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1066 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IjJ5SVZq......

root@tianshu-ai-platform:~# kubectl get secret fmuser-token-9qb8n -o jsonpath='{.data.ca\.crt}'
LS0tLS1CRUdJTiBDRVJ....
root@tianshu-ai-platform:~# kubectl get secret fmuser-token-9qb8n -o jsonpath='{.data.token}'
ZXlKaGJHY2lPaUpTVXpJ.....

root@tianshu-ai-platform:~# kubectl get secret fmuser-token-9qb8n -o jsonpath='{.data.ca\.crt}' | base64 --decode
-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
cm5ldGVzMB4XDTI0MDExNjA1NDUwMloXDTM0MDExMzA1NDUwMlowFTETMBEGA1UE
AxMKa3ViZXJuZXRlczCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMGw
FLPnomd41JAIw7jOVrz4Wm+7RwAZanQpOzvmR+SOZTjq5F2Lu/OXa9JhNNisJ2f1
R/MYNRDxCgeTid7iiG9s5OIS+4TFj5S36kXTYmZ51mQXohqjcZeVPgL+Vb8Jz2lS
uXPBGWwjj8ROfjWQcVE49V0DmybdPpZgjEUIxFVFcp3O7jtfl+oecRz55p4bYUrM
KsTXimmKEOcr4t1J6/DlvaXbZVCpJ28iIaDP2Z8qJT6/fg+jnevXr8QiedEsbx1i
D/FmIdBS2O+UsG9Gs+gUr2SA37UmRxelFiQQlgs/yC0/UEh8mrSkslN+Y5qlHEmI
/ntY6ZySzQhatcNEKMkCAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wHQYDVR0OBBYEFEChpxTbnR+JgB0qm/iHrmTjb+//MA0GCSqGSIb3
DQEBCwUAA4IBAQBcY+JrXiT+OHRhpFV4wdoxh4YKBGbzHNAC+d1mSoJE9K4lbK/n
7SWscW2SdIiCVwmH8VQyH1LKLGQZePuQ64yKetakCD6KCJ40IRY3MQR1lTM5K8pO
KRduy2dLxyfvMFNjjSBiDZnhd9XA1UcqTlwe6o9KAYOvBTePsalS6v7U7tzp1fBI
vtwicakxThcs5jAwb5HA/CHS3VFlAU7g3UZlFgIBvOuLAoUuxxkNIfMoYP/gPNKR
IB1wJBaCHIKcpUtzNH6ejhWIy8cGUeXAYXiL10gQdg20Nnmr3kdnXDzAipvOPspb
kGM9g4KWiXlUqwlq36btT9HHBC5shC4IzYL/
-----END CERTIFICATE-----

root@tianshu-ai-platform:~# kubectl get secret fmuser-token-9qb8n -o jsonpath='{.data.token}' | base64 --decode
eyJhbGciOiJSUzI1NiIsImtpZCI6IjJ5SVZqUjBOLVdwbUluU2F5M....

在使用中的ca.crt和token都是base64解碼過(guò)的，存儲(chǔ)在secret中的都是經(jīng)過(guò)編碼的；

到此這篇關(guān)于Java實(shí)現(xiàn)連接kubernates集群的兩種方式詳解的文章就介紹到這了,更多相關(guān)Java連接kubernates集群內(nèi)容請(qǐng)搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

您可能感興趣的文章: