Checking kubernetes pod CPU and memory - mem checking - 《IT_programmer》

问题
solution
end

import json
from kubernetes import client, config
config.kube_config.load_kube_config(config_file="./kubeconfig.yaml")
api_client = client.ApiClient()
namesapce = '???'
url = '/apis/metrics.k8s.io/v1beta1/namespaces/' + namesapce + '/pods'
ret_metrics = api_client.call_api(url, 'GET', auth_settings=['BearerToken'], response_type='json', _preload_content=False)
response = ret_metrics[0].data.decode('utf-8')
res = json.loads(response)
for i in res['items']:
    for j in i['containers']:
        ## j['name']   ## 'le-15ccaef4-b63d-4e23-ae0c-418ab706d23b'
        ## j['usage']['cpu']   ## '1434540n'
        print('## memory: ',j['usage']['memory'])   ## 'memory': '52308Ki'
## memory:  628128Ki
## memory:  6844156Ki
## memory:  52352Ki
## memory:  6208008Ki
podname = '?????'
url_pod = '/apis/metrics.k8s.io/v1beta1/namespaces/' + namesapce + '/pods/' + podname
ret_metric = api_client.call_api(url_pod, 'GET', auth_settings=['BearerToken'], response_type='json', _preload_content=False)
response = ret_metric[0].data.decode('utf-8')
res = json.loads(response)
for j in res['containers']:
    print('## memory: ',j['usage']['memory'])


_token="XXXX"
"""
## /etc/lico/kube_server.csv
##
#name,display_name,kube_cluster_addr,ingress_ctrl_addr,gpu_resource_name,prometheus_server
mykube,My k8s,https://10.240.208.162:6443,http://10.240.208.94:31484,nvidia.com/gpu,http://10.240.208.94:31893
"""
_pvc="zhouyj-pvc"
_namespace="zhouyj"
_job_name = "-e37d851f9b86"
_stateful_name = "e37d851f9b86"
_service_url="https://10.240.208.162:6443"
gpu_resource_name="nvidia.com/gpu"
from scheduler.adapter.kube.kuberesource.kube_client import KubeClient
from scheduler.adapter.scheduler_factory import create_kubernetes_scheduler
from client.auth.dataclass import RequireUserContext
from scheduler.adapter.kube.kube_config import SchedulerConfig as KubeConfig
_scheduler = create_kubernetes_scheduler(service_url=_service_url, namespace=_namespace, token=_token, pvc=_pvc, config=KubeConfig(gres_resource_dict={gpu_resource_name: "gpu"}))
_scheduler._kube_client.list_job_pods(_namespace, _job_name)
_scheduler._kube_client.list_stateful_pods(_namespace, _stateful_name)
_get_mem(_scheduler._kube_client.api_client, _namespace, )
# _kube_client = KubeClient(_token, _service_url)
# _kube_client.list_job_pods(_namespace, _job_name)
# _kube_client.list_stateful_pods(_namespace, _stateful_name)
def _get_mem(api_client, namesapce, podname):
    import json
    url_pod = '/apis/metrics.k8s.io/v1beta1/namespaces/' + namesapce + '/pods/' + podname
    ret_metric = api_client.call_api(url_pod, 'GET', auth_settings=['BearerToken'], response_type='json', _preload_content=False)
    response = ret_metric[0].data.decode('utf-8')
    res = json.loads(response)
    for j in res['containers']:
        # print('## memory: ',j['usage']['memory'])
        return j['usage']['memory']
_get_mem(_kube_client.api_client, _namespace, )
_service_url="https://10.240.208.162:6443"
_kube_client = KubeClient(_token, _service_url);_kube_client.list_job_pods(_namespace, _job_name)


_get_mem(_scheduler._kube_client.api_client, _namespace, 'e37d851f9b86-gfk2b')
/usr/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  InsecureRequestWarning)
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "<console>", line 4, in _get_mem
  File "/usr/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 353, in call_api
    _preload_content, _request_timeout, _host)
  File "/usr/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 184, in __call_api
    _request_timeout=_request_timeout)
  File "/usr/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 377, in request
    headers=headers)
  File "/usr/lib/python3.6/site-packages/kubernetes/client/rest.py", line 243, in GET
    query_params=query_params)
  File "/usr/lib/python3.6/site-packages/kubernetes/client/rest.py", line 233, in request
    raise ApiException(http_resp=r)
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Sun, 25 Apr 2021 11:09:46 GMT', 'Content-Length': '438'})
HTTP response body: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods.metrics.k8s.io \\"8d73-e37d851f9b86-gfk2b\\" is forbidden: User \\"system:serviceaccount:zhou:default\\" cannot get resource \\"pods\\" in API group \\"metrics.k8s.io\\" in the namespace \\"zhou\\"","reason":"Forbidden","details":{"name":"e37d851f9b86-gfk2b","group":"metrics.k8s.io","kind":"pods"},"code":403}\n'
>>>

问题

is forbidden

[root@k8s-master k8s_api]# kubectl get apiservices
NAME                                   SERVICE                      AVAILABLE   AGE
v1.                                    Local                        True        75d
v1.admissionregistration.k8s.io        Local                        True        75d
v1.apiextensions.k8s.io                Local                        True        75d
v1.apps                                Local                        True        75d
v1.authentication.k8s.io               Local                        True        75d
v1.authorization.k8s.io                Local                        True        75d
v1.autoscaling                         Local                        True        75d
v1.batch                               Local                        True        75d
v1.certificates.k8s.io                 Local                        True        60d
v1.coordination.k8s.io                 Local                        True        75d
v1.events.k8s.io                       Local                        True        60d
v1.networking.k8s.io                   Local                        True        75d
v1.rbac.authorization.k8s.io           Local                        True        75d
v1.scheduling.k8s.io                   Local                        True        75d
v1.storage.k8s.io                      Local                        True        75d
v1beta1.admissionregistration.k8s.io   Local                        True        75d
v1beta1.apiextensions.k8s.io           Local                        True        75d
v1beta1.authentication.k8s.io          Local                        True        75d
v1beta1.authorization.k8s.io           Local                        True        75d
v1beta1.batch                          Local                        True        75d
v1beta1.certificates.k8s.io            Local                        True        75d
v1beta1.coordination.k8s.io            Local                        True        75d
v1beta1.discovery.k8s.io               Local                        True        75d
v1beta1.events.k8s.io                  Local                        True        75d
v1beta1.extensions                     Local                        True        75d
v1beta1.metrics.k8s.io                 kube-system/metrics-server   True        59d
v1beta1.networking.k8s.io              Local                        True        75d
v1beta1.node.k8s.io                    Local                        True        75d
v1beta1.policy                         Local                        True        75d
v1beta1.rbac.authorization.k8s.io      Local                        True        75d
v1beta1.scheduling.k8s.io              Local                        True        75d
v1beta1.storage.k8s.io                 Local                        True        75d
v2beta1.autoscaling                    Local                        True        75d
v2beta2.autoscaling                    Local                        True        75d
[root@k8s-master k8s_api]# kubectl get svc metrics-server  -n kube-system -o yaml > metrics-server.yaml
[root@k8s-master k8s_api]# cat metrics-server.yaml
apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"addonmanager.kubernetes.io/mode":"Reconcile","kubernetes.io/cluster-service":"true","kubernetes.io/name":"Metrics-server"},"name":"metrics-server","namespace":"kube-system"},"spec":{"ports":[{"nodePort":30731,"port":443,"protocol":"TCP","targetPort":"https"}],"selector":{"k8s-app":"metrics-server"},"type":"NodePort"}}
  creationTimestamp: "2021-02-25T03:27:04Z"
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/cluster-service: "true"
    kubernetes.io/name: Metrics-server
  managedFields:
  - apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
        f:labels:
          .: {}
          f:addonmanager.kubernetes.io/mode: {}
          f:kubernetes.io/cluster-service: {}
          f:kubernetes.io/name: {}
      f:spec:
        f:externalTrafficPolicy: {}
        f:ports:
          .: {}
          k:{"port":443,"protocol":"TCP"}:
            .: {}
            f:nodePort: {}
            f:port: {}
            f:protocol: {}
            f:targetPort: {}
        f:selector:
          .: {}
          f:k8s-app: {}
        f:sessionAffinity: {}
        f:type: {}
    manager: kubectl-client-side-apply
    operation: Update
    time: "2021-03-12T09:46:17Z"
  name: metrics-server
  namespace: kube-system
  resourceVersion: "6879542"
  selfLink: /api/v1/namespaces/kube-system/services/metrics-server
  uid: 1858e3f9-28fa-4583-be32-7d7948a0042c
spec:
  clusterIP: 10.1.77.113
  externalTrafficPolicy: Cluster
  ports:
  - nodePort: 30731
    port: 443
    protocol: TCP
    targetPort: https
  selector:
    k8s-app: metrics-server
  sessionAffinity: None
  type: NodePort
status:
  loadBalancer: {}
[root@k8s-master k8s_api]# kubectl get  apiservices v1.batch -o yaml >  batch.yaml
[root@k8s-master k8s_api]# cat batch.yaml 
apiVersion: apiregistration.k8s.io/v1
kind: APIService
metadata:
  creationTimestamp: "2021-02-09T06:46:33Z"
  labels:
    kube-aggregator.kubernetes.io/automanaged: onstart
  name: v1.batch
  resourceVersion: "20"
  selfLink: /apis/apiregistration.k8s.io/v1/apiservices/v1.batch
  uid: 8bc5f1de-31b6-4d0e-92e4-cfd929f3827b
spec:
  group: batch
  groupPriorityMinimum: 17400
  version: v1
  versionPriority: 15
status:
  conditions:
  - lastTransitionTime: "2021-02-09T06:46:33Z"
    message: Local APIServices are always available
    reason: Local
    status: "True"
    type: Available
 [root@k8s-master k8s_api]# kubectl describe apiservices  v1beta1.metrics.k8s.io
Name:         v1beta1.metrics.k8s.io
Namespace:    
Labels:       addonmanager.kubernetes.io/mode=Reconcile
              kubernetes.io/cluster-service=true
Annotations:  <none>
API Version:  apiregistration.k8s.io/v1
Kind:         APIService
Metadata:
  Creation Timestamp:  2021-02-25T03:26:44Z
  Resource Version:    3510481
  Self Link:           /apis/apiregistration.k8s.io/v1/apiservices/v1beta1.metrics.k8s.io
  UID:                 e7718cf6-7ef2-41d5-979f-f0a74900f0d9
Spec:
  Group:                     metrics.k8s.io
  Group Priority Minimum:    100
  Insecure Skip TLS Verify:  true
  Service:
    Name:            metrics-server
    Namespace:       kube-system
    Port:            443
  Version:           v1beta1
  Version Priority:  100
Status:
  Conditions:
    Last Transition Time:  2021-02-25T05:58:09Z
    Message:               all checks passed
    Reason:                Passed
    Status:                True
    Type:                  Available
Events:                    <none>
[root@k8s-master k8s_api]# kubectl describe apiservices v1.batch
Name:         v1.batch
Namespace:    
Labels:       kube-aggregator.kubernetes.io/automanaged=onstart
Annotations:  <none>
API Version:  apiregistration.k8s.io/v1
Kind:         APIService
Metadata:
  Creation Timestamp:  2021-02-09T06:46:33Z
  Resource Version:    20
  Self Link:           /apis/apiregistration.k8s.io/v1/apiservices/v1.batch
  UID:                 8bc5f1de-31b6-4d0e-92e4-cfd929f3827b
Spec:
  Group:                   batch
  Group Priority Minimum:  17400
  Version:                 v1
  Version Priority:        15
Status:
  Conditions:
    Last Transition Time:  2021-02-09T06:46:33Z
    Message:               Local APIServices are always available
    Reason:                Local
    Status:                True
    Type:                  Available
Events:

solution

RABC 绑定


kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: metrics-reader
rules:
- apiGroups: ["metrics.k8s.io"]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["metrics.k8s.io"]
  resources: ["nodes"]
  verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
subjects:
- kind: User
  name: system:serviceaccount:zhouyj:default
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: metrics-reader
  apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: metrics-reader
rules:
- apiGroups: ["metrics.k8s.io"]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["metrics.k8s.io"]
  resources: ["nodes"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metrics
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: metrics-reader
subjects:
- kind: User
  name: system:serviceaccount:zhouyj:default
  apiGroup: rbac.authorization.k8s.io

end

参考： https://zhuanlan.zhihu.com/p/138995000