kubernetes python3.5 SSLError («плохое рукопожатие: ошибка ([(« подпрограммы SSL »,« ssl3_get_server_certificate »,« сбой проверки сертификата »)],)",) - PullRequest
Новая
       9

kubernetes python3.5 SSLError («плохое рукопожатие: ошибка ([(« подпрограммы SSL »,« ssl3_get_server_certificate »,« сбой проверки сертификата »)],)",)

0 голосов
/ 28 августа 2018

Я следовал за примерами: 

from kubernetes import client, config

config.load_kube_config()

v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_pod_for_all_namespaces(watch=False)
for i in ret.items:
    print("%s\t%s\t%s" % (i.status.pod_ip, i.metadata.namespace, i.metadata.name))

Но всегда появляется эта ошибка: 

2018-08-28 23:03:48,818 WARNING Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),)': /api/v1/pods?watch=False

...ommit some retry logs

Traceback (most recent call last):
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/contrib/pyopenssl.py", line 444, in wrap_socket
    cnx.do_handshake()
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/OpenSSL/SSL.py", line 1907, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/OpenSSL/SSL.py", line 1639, in _raise_ssl_error
    _raise_current_error()
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/connectionpool.py", line 600, in urlopen
    chunked=chunked)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/connectionpool.py", line 343, in _make_request
    self._validate_conn(conn)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/connectionpool.py", line 849, in _validate_conn
    conn.connect()
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/connection.py", line 356, in connect
    ssl_context=context)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/util/ssl_.py", line 372, in ssl_wrap_socket
    return context.wrap_socket(sock)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/contrib/pyopenssl.py", line 450, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/apis/core_v1_api.py", line 13608, in list_pod_for_all_namespaces
    (data) = self.list_pod_for_all_namespaces_with_http_info(**kwargs)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/apis/core_v1_api.py", line 13705, in list_pod_for_all_namespaces_with_http_info
    collection_formats=collection_formats)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/api_client.py", line 321, in call_api
    _return_http_data_only, collection_formats, _preload_content, _request_timeout)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/api_client.py", line 155, in __call_api
    _request_timeout=_request_timeout)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/api_client.py", line 342, in request
    headers=headers)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/rest.py", line 231, in GET
    query_params=query_params)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/kubernetes/client/rest.py", line 205, in request
    headers=headers)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/request.py", line 68, in request
    **urlopen_kw)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/request.py", line 89, in request_encode_url
    return self.urlopen(method, url, **extra_kw)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/poolmanager.py", line 322, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/connectionpool.py", line 667, in urlopen
    **response_kw)
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/connectionpool.py", line 638, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/Users/maxpeng/.pyenv/versions/3.5.0/lib/python3.5/site-packages/urllib3/util/retry.py", line 398, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='xx.xx.xx.xx', port=xxxx): Max retries exceeded with url: /api/v1/pods?watch=False (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

Mac OSX 10.13.6

kubectl версия

Версия клиента: version.Info {Major: "1", Minor: "11", GitVersion: "v1.11.2", GitCommit: "bb9ffb1654d4a729bb4cec18ff088eacc153c239", GitTreeState: "clean", BuildDate: "2018-08-08T16: 31: 10Z", GoVersion: "go1.10.3", компилятор: "gc", платформа: "darwin / amd64"}

Версия сервера: version.Info {Major: "1", Minor: "10", GitVersion: "v1.10.4", GitCommit: "5ca598b4ba5abb89bb773071ce452e33fb66339d", GitTreeState: "clean", BuildDate: "2018-06-06T08: 00: 59Z", GoVersion: "go1.9.3", компилятор: "gc", платформа: "linux / amd64"}

список пунктов

| Пакет | Версия |

| Сертификаты | 2018.8.24 |

| kubernetes | 7.0.0 |

...... пропустить другие зависимости

P.S. Я попробовал решение здесь: http://www.cdotson.com/2017/01/sslerror-with-python-3-6-x-on-macos-sierra/. Но без удачи.

1 Ответ

0 голосов
/ 28 августа 2018

Похоже, что проблема в том, что клиентский скрипт не может найти / принять / проверить сертификат. Установка местоположения сертификата, вероятно, является наиболее жизнеспособным методом разрешения непосредственно из сценария: 

from kubernetes import client
from kubernetes.client import Configuration, ApiClient

config = Configuration()
config.api_key = {'authorization': 'Bearer <api_key>'}
config.host = 'https://my-kubernetes-cluster'
config.ssl_ca_cert = "/path/to/ca_chain.crt"

api_client = ApiClient(configuration=config)
v1 = client.CoreV1Api(api_client)

v1.list_pod_for_all_namespaces(watch=False)

Вы также можете установить это непосредственно в .kube/config: 

apiVersion: v1
clusters:
- cluster:
    api-version: v1
    certificate-authority: /path/to/ca_chain.crt
    server: "https://my-kubernetes-cluster"
    ...

Последний вариант - пропустить проверку (не рекомендуется, поскольку она не использует цель SSL): 

v1 = client.CoreV1Api()
v1.api_client.configuration.verify_ssl = False

Дополнительная информация:

https://github.com/kubernetes-client/python/issues/521

Как указать пакет CA в клиенте Python kubernetes

...