Kubernetes
在Google計算引擎上執行的 kubernetes pod 無法訪問元數據服務
我正在嘗試從在Google計算引擎上執行的 k8 pod 內部執行Google云 python sdk。有一個附加到 VM 的服務帳戶,它允許它訪問密鑰管理器。我可以從主機訪問秘密管理器,但是從 k8 pod 執行 python sdk 抱怨無法訪問元數據服務
>>> secret_id = 'unskript_test' >>> name = client.secret_path(project_id, secret_id) >>> response = client.get_secret(request={"name": name}) Traceback (most recent call last): File "/opt/conda/lib/python3.7/site-packages/google/api_core/grpc_helpers.py", line 67, in error_remapped_callable return callable_(*args, **kwargs) File "/opt/conda/lib/python3.7/site-packages/grpc/_channel.py", line 946, in __call__ return _end_unary_response_blocking(state, call, False, None) File "/opt/conda/lib/python3.7/site-packages/grpc/_channel.py", line 849, in _end_unary_response_blocking raise _InactiveRpcError(state) grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with: status = StatusCode.UNAVAILABLE details = "Getting metadata from plugin failed with error: Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true from the Google Compute Enginemetadata service. Compute Engine Metadata server unavailable" debug_error_string = "{"created":"@1630634901.103779641","description":"Getting metadata from plugin failed with error: Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true from the Google Compute Enginemetadata service. Compute Engine Metadata server unavailable","file":"src/core/lib/security/credentials/plugin/plugin_credentials.cc","file_line":90,"grpc_status":14}" >
metadata.google.internal 無法從 k8 pod 解析
jovyan@jovyan-25ca6c8c-157d-49e5-9366-f9d57fcb7a9f:~$ wget http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true --2021-09-03 02:11:19-- http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true Resolving metadata.google.internal (metadata.google.internal)... failed: Name or service not known. wget: unable to resolve host address ‘metadata.google.internal’
但是,主機能夠解決它
ubuntu@gcp-test-proxy:~$ wget http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true --2021-09-03 02:11:27-- http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true Resolving metadata.google.internal (metadata.google.internal)... 169.254.169.254 Connecting to metadata.google.internal (metadata.google.internal)|169.254.169.254|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2021-09-03 02:11:27 ERROR 403: Forbidden.
如何讓 pod 解析 metadata.google.internal?
這是由於 Kubernetes pod 無法將
metadata.google.internal
DNS 名稱解析為正確的 IP。您的主機可能有一個條目/etc/hosts
將該域硬編碼為 IP:169.254.169.254。您應該能夠通過修改其
/etc/hosts
文件在您的 Pod 中複製它。請記住,這僅適用於在 GCP 上執行的虛擬機。在外面,IP地址169.254.169.254只是另一個沒有特殊含義的IP地址。
編輯:剛剛檢查了我的一個 GCP 虛擬機上的 /etc/hosts,這就是我發現的:
$ cat /etc/hosts 127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts 169.254.169.254 metadata.google.internal metadata
因此,只需嘗試將最後一行複製到您的 pods
/etc/hosts
中。