- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
- User Guide
- Best Practices
-
Developer Guide
- Overview
- Using Native kubectl (Recommended)
- Namespace and Network
- Pod
- Label
- Deployment
- EIPPool
- EIP
- Pod Resource Monitoring Metric
- Collecting Pod Logs
- Managing Network Access Through Service and Ingress
- Using PersistentVolumeClaim to Apply for Persistent Storage
- ConfigMap and Secret
- Creating a Workload Using Job and Cron Job
- YAML Syntax
-
API Reference
- Before You Start
- Calling APIs
- Getting Started
- Proprietary APIs
-
Kubernetes APIs
- ConfigMap
- Pod
- StorageClass
- Service
-
Deployment
- Querying All Deployments
- Deleting All Deployments in a Namespace
- Querying Deployments in a Namespace
- Creating a Deployment
- Deleting a Deployment
- Querying a Deployment
- Updating a Deployment
- Replacing a Deployment
- Querying the Scaling Operation of a Specified Deployment
- Updating the Scaling Operation of a Specified Deployment
- Replacing the Scaling Operation of a Specified Deployment
- Querying the Status of a Deployment
- Ingress
- OpenAPIv2
- VolcanoJob
- Namespace
- ClusterRole
- Secret
- Endpoint
- ResourceQuota
- CronJob
-
API groups
- Querying API Versions
- Querying All APIs of v1
- Querying an APIGroupList
- Querying APIGroup (/apis/apps)
- Querying APIs of apps/v1
- Querying an APIGroup (/apis/batch)
- Querying an APIGroup (/apis/batch.volcano.sh)
- Querying All APIs of batch.volcano.sh/v1alpha1
- Querying All APIs of batch/v1
- Querying All APIs of batch/v1beta1
- Querying an APIGroup (/apis/crd.yangtse.cni)
- Querying All APIs of crd.yangtse.cni/v1
- Querying an APIGroup (/apis/extensions)
- Querying All APIs of extensions/v1beta1
- Querying an APIGroup (/apis/metrics.k8s.io)
- Querying All APIs of metrics.k8s.io/v1beta1
- Querying an APIGroup (/apis/networking.cci.io)
- Querying All APIs of networking.cci.io/v1beta1
- Querying an APIGroup (/apis/rbac.authorization.k8s.io)
- Querying All APIs of rbac.authorization.k8s.io/v1
- Event
- PersistentVolumeClaim
- RoleBinding
- StatefulSet
- Job
- ReplicaSet
- Data Structure
- Permissions Policies and Supported Actions
- Appendix
- Out-of-Date APIs
- Change History
-
FAQs
- Product Consulting
-
Basic Concept FAQs
- What Is CCI?
- What Are the Differences Between Cloud Container Instance and Cloud Container Engine?
- What Is an Environment Variable?
- What Is a Service?
- What Is Mcore?
- What Are the Relationships Between Images, Containers, and Workloads?
- What Are Kata Containers?
- Can kubectl Be Used to Manage Container Instances?
- What Are Core-Hours in CCI Resource Packages?
- Workload Abnormalities
-
Container Workload FAQs
- Why Service Performance Does Not Meet the Expectation?
- How Do I Set the Quantity of Instances (Pods)?
- How Do I Check My Resource Quotas?
- How Do I Set Probes for a Workload?
- How Do I Configure an Auto Scaling Policy?
- What Do I Do If the Workload Created from the sample Image Fails to Run?
- How Do I View Pods After I Call the API to Delete a Deployment?
- Why an Error Is Reported When a GPU-Related Operation Is Performed on the Container Entered by Using exec?
- Can I Start a Container in Privileged Mode When Running the systemctl Command in a Container in a CCI Cluster?
- Why Does the Intel oneAPI Toolkit Fail to Run VASP Tasks Occasionally?
- Why Are Pods Evicted?
- Why Is the Workload Web-Terminal Not Displayed on the Console?
- Why Are Fees Continuously Deducted After I Delete a Workload?
-
Image Repository FAQs
- Can I Export Public Images?
- How Do I Create a Container Image?
- How Do I Upload Images?
- Does CCI Provide Base Container Images for Download?
- Does CCI Administrator Have the Permission to Upload Image Packages?
- What Permissions Are Required for Uploading Image Packages for CCI?
- What Do I Do If Authentication Is Required During Image Push?
-
Network Management FAQs
- How Do I View the VPC CIDR Block?
- Does CCI Support Load Balancing?
- How Do I Configure the DNS Service on CCI?
- Does CCI Support InfiniBand (IB) Networks?
- How Do I Access a Container from a Public Network?
- How Do I Access a Public Network from a Container?
- What Do I Do If Access to a Workload from a Public Network Fails?
- What Do I Do If Error 504 Is Reported When I Access a Workload?
- What Do I Do If the Connection Timed Out?
- Storage Management FAQs
- Log Collection
- Account
- SDK Reference
- Videos
- General Reference
Copied.
Using client-go to Access CCI
This section describes how to use cci-iam-authenticator (the CCI authentication tool) and Kubernetes client-go to call the APIs.
Installing cci-iam-authenticator
Download, install, and set cci-iam-authenticator by referring to Using Native kubectl (Recommended).
Installing Kubernetes client-go
For details, see Installing client-go.
- The Kubernetes version corresponding to CCI open APIs is 1.19. According to Compatibility: client-go <-> Kubernetes clusters, the recommended SDK version is k8s.io/client-go@kubernetes-1.19.0.
- The clusters used in CCI are shared clusters. All namespaces for the clusters and resources in these namespaces cannot be watched. Only resources in the specified namespace can be watched.
Using the Go SDK
The examples have been tested for the following versions:
- k8s.io/client-go@kubernetes-1.15.0
- k8s.io/client-go@kubernetes-1.16.0
- k8s.io/client-go@kubernetes-1.17.0
- k8s.io/client-go@kubernetes-1.18.0
- k8s.io/client-go@kubernetes-1.19.0
- k8s.io/client-go@kubernetes-1.20.0
import ( "fmt" "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/clientcmd" "k8s.io/client-go/tools/clientcmd/api" ) const ( apiVersion = "client.authentication.k8s.io/v1beta1" // CCI endpoint: https://developer.huaweicloud.com/intl/en-us/endpoint cciEndpoint = "<For example, https://cci.cn-north-4.myhuaweicloud.com indicates CN North-Beijing4.>" // IAM endpoint: https://developer.huaweicloud.com/intl/en-us/endpoint iamEndpoint = "<For example, https://iam.cn-north-4.myhuaweicloud.com for CN North-Beijing4>" // Regions and endpoint: https://developer.huaweicloud.com/intl/en-us/endpoint projectName = "<Example: cn-north-4 indicates CN North-Beijing4.>" ) // userName, domainName, and password indicate the username, account name, and password used for authentication. Keep the username, account name, and password secure. var userName, domainName, password string // NewClient indicates creating a Clientset using the username/password. func NewClient() (*kubernetes.Clientset, error) { config, err := clientcmd.BuildConfigFromFlags(cciEndpoint, "") if err != nil { return nil, err } var optionArgs []string optionArgs = append(optionArgs, fmt.Sprintf("--iam-endpoint=%s", iamEndpoint)) optionArgs = append(optionArgs, fmt.Sprintf("--project-name=%s", projectName)) optionArgs = append(optionArgs, fmt.Sprintf("--token-only=false")) optionArgs = append(optionArgs, fmt.Sprintf("--domain-name=%s", domainName)) optionArgs = append(optionArgs, fmt.Sprintf("--user-name=%s", userName)) optionArgs = append(optionArgs, fmt.Sprintf("--password=%s", password)) config.ExecProvider = &api.ExecConfig{ Command: "cci-iam-authenticator", APIVersion: apiVersion, Args: append([]string{"token"}, optionArgs...), Env: make([]api.ExecEnvVar, 0), } return kubernetes.NewForConfig(config) }
Using an AK/SK for authentication:
import ( "fmt" "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/clientcmd" "k8s.io/client-go/tools/clientcmd/api" ) const ( apiVersion = "client.authentication.k8s.io/v1beta1" // CCI endpoint: https://developer.huaweicloud.com/intl/en-us/endpoint cciEndpoint = "<For example, https://cci.cn-north-4.myhuaweicloud.com indicates CN North-Beijing4.>" // IAM endpoint: https://developer.huaweicloud.com/intl/en-us/endpoint iamEndpoint = "<For example, https://iam.cn-north-4.myhuaweicloud.com for CN North-Beijing4>" // Regions and endpoint: https://developer.huaweicloud.com/intl/en-us/endpoint projectName = "<Example: cn-north-4 indicates CN North-Beijing4.>" ) // Obtaining an AK/SK. Refer to https://support.huaweicloud.com/intl/en-us/devg-cci/cci_kubectl_01.html#cci_kubectl_01__section17023744719. // ak and sk indicate the user's AK and SK used for authentication. The AK and SK need to be transferred by the user. Exercise caution when using them. var ak, sk string // NewClient indicates creating a Clientset through AK/SK authentication. func NewClient() (*kubernetes.Clientset, error) { config, err := clientcmd.BuildConfigFromFlags(cciEndpoint, "") if err != nil { return nil, err } var optionArgs []string optionArgs = append(optionArgs, fmt.Sprintf("--iam-endpoint=%s", iamEndpoint)) optionArgs = append(optionArgs, fmt.Sprintf("--project-name=%s", projectName)) optionArgs = append(optionArgs, fmt.Sprintf("--token-only=false")) optionArgs = append(optionArgs, fmt.Sprintf("--ak=%s", ak)) optionArgs = append(optionArgs, fmt.Sprintf("--sk=%s", sk)) config.ExecProvider = &api.ExecConfig{ Command: "cci-iam-authenticator", APIVersion: apiVersion, Args: append([]string{"token"}, optionArgs...), Env: make([]api.ExecEnvVar, 0), } return kubernetes.NewForConfig(config) }
The following example shows how to generate the kubeconfig file for authentication configuration. For details, see the generate-kubeconfig subcommand in cci-iam-authenticator Usage Reference.
import ( "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/clientcmd" ) // NewClient indicates creating a Clientset using the kubeconfig file. // The kubeconfig file must contain authentication information. For details, see "cci-iam-authenticator Usage Reference" at https://support.huaweicloud.com/intl/en-us/devg-cci/cci_kubectl_03.html. func NewClient() (*kubernetes.Clientset, error) { config, err := clientcmd.BuildConfigFromFlags("", "/path/to/kubeconfig") if err != nil { return nil, err } return kubernetes.NewForConfig(config) }
FAQ
Question: In the preceding examples, is the request result code 401 returned?
Answer: Generally, if the password or AK/SK is correctly configured, a mechanism provided by client-go for periodically calling cci-iam-authenticator to update the token can ensure that the token does not expire (the validity period of the token is 24 hours) and avoid returning code 401. For details, see https://github.com/kubernetes/client-go/blob/master/plugin/pkg/client/auth/exec/exec.go.
However, if the account permissions are changed, the token may also become invalid and the code 401 may be returned.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot