TechQA.

Unable to connect GKE autopilot cluster from kubernetes python client

444 views Asked by At

I have created an Autopilot cluster on GKE

I want to connect and manage it with Python Kubernetes Client

I am able to get the kubeconfig of cluster

I am able to access the cluster using kubectl on my local system using the command

gcloud container clusters get-credentials

When I try to connect with python-client-library of kubernetes, I get following error

  File "lib/python3.7/site-packages/urllib3/util/retry.py", line 399, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='xxx.xx.xxx.xxx', port=443): Max 
retries exceeded with url: /apis/extensions/v1beta1/namespaces/default/ingresses (Caused by 
SSLError(SSLError(136, '[X509] no certificate or crl found (_ssl.c:4140)')))

here is the code i am using

os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = "863924b908c7.json"

credentials, project = google.auth.default(
    scopes=['https://www.googleapis.com/auth/cloud-platform', ])

credentials.refresh(google.auth.transport.requests.Request())

cluster_manager = ClusterManagerClient(credentials=credentials)
# cluster = cluster_manager.get_cluster(project)
config.load_kube_config('config.yaml')
python kubernetes google-cloud-platform google-kubernetes-engine kubernetes-python-client
Original Q&A
1

There are 1 answers

0
E Brake On

Here's what I figured out. I think it's a good solution because it prevents man in the middle attacks (uses SSL) unlike other python snippets in the wild.

from google.cloud.container_v1 import ClusterManagerClient
from kubernetes import client
from tempfile import NamedTemporaryFile
import base64
import google.auth

credentials, project = google.auth.default(scopes=['https://www.googleapis.com/auth/cloud-platform',])
credentials.refresh(google.auth.transport.requests.Request())
cluster_manager = ClusterManagerClient(credentials=credentials)
cluster = cluster_manager.get_cluster(name=f"projects/{gcp_project_id}/locations/{cluster_zone_or_region}/clusters/{cluster_id}")

with NamedTemporaryFile(delete=False) as ca_cert:
 ca_cert.write(base64.b64decode(cluster.master_auth.cluster_ca_certificate))

config = client.Configuration()
config.host = f'https://{cluster.endpoint}:443'
config.verify_ssl = True
config.api_key = {"authorization": "Bearer " + credentials.token}
config.username = credentials._service_account_email
config.ssl_ca_cert = ca_cert.name
client.Configuration.set_default(config)

# make calls with client

On GKE, SSL Validation works on the IP automatically. If you are in an environment where it doesn't work for some reason, you can bind the IP to a hostname list this:

from python_hosts.hosts import (Hosts, HostsEntry)
hosts = Hosts()
hosts.add([HostsEntry(entry_type='ipv4', address=cluster.endpoint, names=['kubernetes'])])
hosts.write()
config.host = "https://kubernetes"

Related Questions in PYTHON

Related Questions in KUBERNETES

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in GOOGLE-KUBERNETES-ENGINE

Related Questions in KUBERNETES-PYTHON-CLIENT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions