api
[!NOTE] There are several different proxies you may encounter when using Kubernetes:
The kubectl proxy:
runs on a user's desktop or in a pod
proxies from a localhost address to the Kubernetes apiserver
client to proxy uses HTTP
proxy to apiserver uses HTTPS
locates apiserver
adds authentication headers
- The apiserver proxy: - is a bastion built into the apiserver - connects a user outside of the cluster to cluster IPs which otherwise might not be reachable - runs in the apiserver processes - client to proxy uses HTTPS (or http if apiserver so configured) - proxy to target may use HTTP or HTTPS as chosen by proxy using available information - can be used to reach a Node, Pod, or Service - does load balancing when used to reach a Service
- The kube proxy: - runs on each node - proxies UDP and TCP - does not understand HTTP - provides load balancing - is only used to reach services
- A Proxy/Load-balancer in front of apiserver(s): - existence and implementation varies from cluster to cluster (e.g. nginx) - sits between all clients and one or more apiservers - acts as load balancer if there are several apiservers.
- Cloud Load Balancers on external services: - are provided by some cloud providers (e.g. AWS ELB, Google Cloud Load Balancer) - are created automatically when the Kubernetes service has type LoadBalancer - use UDP/TCP only - implementation varies by cloud provider.

[!NOTE|label:tips:]
get server
$ server=$(kubectl config view -ojsonpath="{.clusters[*].cluster.server}")
get default sa name
$ name=$(kubectl get sa -n default default -ojsonpath="{.secrets[].name}")
get token
$ token=$(kubectl get secrets -n default $(kubectl get sa -n default default -ojsonpath="{.secrets[].name}") -o jsonpath="{.data.token}" | base64 -d)
get cacert
$ cacert=$(kubectl config view --raw -ojsonpath="{.clusters[].cluster.certificate-authority-data}" | base64 -d)
-H "Authorization: Bearer $token"
API path
$ ${server}/api/
acess cluster
$ APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
# or get via cluster name of `kubernetes-staging`
$ APISERVER=$(kubectl config view -o jsonpath='{.clusters[?(@.name == "kubernetes-staging")].cluster.server}')
$ TOKEN=$(kubectl get secret default-token -o jsonpath='{.data.token}' | base64 --decode)
$ curl ${APISERVER}/api --header "Authorization: Bearer ${TOKEN}" --insecure
or
$ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ") # or via jsonpath $ APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}') # or get via cluster name of `kubernetes-staging` $ APISERVER=$(kubectl config view -o jsonpath='{.clusters[?(@.name == "kubernetes-staging")].cluster.server}') $ TOKEN=$(kubectl describe secret default-token | grep -E '^token' | cut -f2 -d':' | tr -d " ") $ curl ${APISERVER}/api --header "Authorization: Bearer ${TOKEN}" --insecure { "kind": "APIVersions", "versions": [ "v1" ], "serverAddressByClientCIDRs": [ { "clientCIDR": "0.0.0.0/0", "serverAddress": "<master.ip>:6443" } ] }
$ curl --include \
--cacert <(kubectl config view --raw -ojsonpath="{.clusters[].cluster.certificate-authority-data}" | base64 -d) \
${server}/api/ -H "Authorization: Bearer $token"
Last updated
Was this helpful?