Python: Can't list pods with load_incluster_config()
I tried following example inside a running pod to list pods
from kubernetes import client, config
def main():
config.load_incluster_config()
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_pod_for_all_namespaces(watch=False)
for i in ret.items:
print("%s\t%s\t%s" %
(i.status.pod_ip, i.metadata.namespace, i.metadata.name))
if __name__ == '__main__':
main()
It report following error:
ret = v1.list_pod_for_all_namespaces(watch=False)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py", line 13589, in list_pod_for_all_namespaces
(data) = self.list_pod_for_all_namespaces_with_http_info(**kwargs)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py", line 13686, in list_pod_for_all_namespaces_with_http_info
collection_formats=collection_formats)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 321, in call_api
_return_http_data_only, collection_formats, _preload_content, _request_timeout)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 155, in __call_api
_request_timeout=_request_timeout)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 342, in request
headers=headers)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 231, in GET
query_params=query_params)
File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 222, in request
raise ApiException(http_resp=r)
kubernetes.client.rest.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Wed, 22 Aug 2018 07:56:15 GMT', 'Content-Length': '243'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:serviceaccount:default:default\" cannot list pods at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}
I get the configuration setting ,it shows like below:
host:https://172.21.0.1:443
api_key:{"authorization": "bearer
api_key_prefix:{}
username:
password:
verify_ssl:True
ssl_ca_cert:/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
safe_chars_for_path_param:
zybjcdl
All 2 comments
Your cluster likely uses RBAC and your pod doesn't have enough permission to list pods in all namespaces. Try to apply these manifests to your cluster:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pods-list
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pods-list
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: pods-list
apiGroup: rbac.authorization.k8s.io
More information: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
tomplus
on 23 Aug 2018
@tomplus It works .Thank you very much.
zybjcdl
on 23 Aug 2018
Related issues
pzoxiuv
路
5Comments
plee138
路
5Comments
bjaworski3
路
5Comments
mpwibm
路
4Comments
karmab
路
5Comments
Most helpful comment
Your cluster likely uses RBAC and your pod doesn't have enough permission to list pods in all namespaces. Try to apply these manifests to your cluster:
More information: https://kubernetes.io/docs/reference/access-authn-authz/rbac/