Kubernetes

在Google計算引擎上執行的 kubernetes pod 無法訪問元數據服務

  • September 22, 2021

我正在嘗試從在Google計算引擎上執行的 k8 pod 內部執行Google云 python sdk。有一個附加到 VM 的服務帳戶,它允許它訪問密鑰管理器。我可以從主機訪問秘密管理器,但是從 k8 pod 執行 python sdk 抱怨無法訪問元數據服務

>>> secret_id = 'unskript_test'
>>> name = client.secret_path(project_id, secret_id)
>>> response = client.get_secret(request={"name": name})
Traceback (most recent call last):
 File "/opt/conda/lib/python3.7/site-packages/google/api_core/grpc_helpers.py", line 67, in error_remapped_callable
   return callable_(*args, **kwargs)
 File "/opt/conda/lib/python3.7/site-packages/grpc/_channel.py", line 946, in __call__
   return _end_unary_response_blocking(state, call, False, None)
 File "/opt/conda/lib/python3.7/site-packages/grpc/_channel.py", line 849, in _end_unary_response_blocking
   raise _InactiveRpcError(state)
grpc._channel._InactiveRpcError: <_InactiveRpcError of RPC that terminated with:
   status = StatusCode.UNAVAILABLE
   details = "Getting metadata from plugin failed with error: Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true from the Google Compute Enginemetadata service. Compute Engine Metadata server unavailable"
   debug_error_string = "{"created":"@1630634901.103779641","description":"Getting metadata from plugin failed with error: Failed to retrieve http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true from the Google Compute Enginemetadata service. Compute Engine Metadata server unavailable","file":"src/core/lib/security/credentials/plugin/plugin_credentials.cc","file_line":90,"grpc_status":14}"
>

metadata.google.internal 無法從 k8 pod 解析

jovyan@jovyan-25ca6c8c-157d-49e5-9366-f9d57fcb7a9f:~$ wget http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true
--2021-09-03 02:11:19--  http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true
Resolving metadata.google.internal (metadata.google.internal)... failed: Name or service not known.
wget: unable to resolve host address ‘metadata.google.internal’

但是,主機能夠解決它

ubuntu@gcp-test-proxy:~$ wget http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true
--2021-09-03 02:11:27--  http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/?recursive=true
Resolving metadata.google.internal (metadata.google.internal)... 169.254.169.254
Connecting to metadata.google.internal (metadata.google.internal)|169.254.169.254|:80... connected.
HTTP request sent, awaiting response... 403 Forbidden
2021-09-03 02:11:27 ERROR 403: Forbidden.

如何讓 pod 解析 metadata.google.internal?

這是由於 Kubernetes pod 無法將metadata.google.internalDNS 名稱解析為正確的 IP。您的主機可能有一個條目/etc/hosts將該域硬編碼為 IP:169.254.169.254。

您應該能夠通過修改其/etc/hosts文件在您的 Pod 中複製它。

請記住,這僅適用於在 GCP 上執行的虛擬機。在外面,IP地址169.254.169.254只是另一個沒有特殊含義的IP地址。

編輯:剛剛檢查了我的一個 GCP 虛擬機上的 /etc/hosts,這就是我發現的:

$ cat /etc/hosts
127.0.0.1 localhost

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
169.254.169.254 metadata.google.internal metadata

因此,只需嘗試將最後一行複製到您的 pods/etc/hosts中。

引用自:https://serverfault.com/questions/1076492