# api * [acess cluster](#acess-cluster) * [access cluster with cacert](#access-cluster-with-cacert) {% hint style="info" %} > references: > > * [\* Kubernetes API](https://kubernetes.io/docs/reference/kubernetes-api/) > * [\* Access Clusters Using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/) > * [The Kubernetes API](https://kubernetes.io/docs/concepts/overview/kubernetes-api/) > * [The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://datatracker.ietf.org/doc/html/rfc6750) > * [\* How to Access Kubernetes API Server](https://blog.codefarm.me/2021/12/18/access-kubernetes/) > * [\* Access Kubernetes API with Client Certificates](https://blog.codefarm.me/2019/02/01/access-kubernetes-api-with-client-certificates/) > * [\* Interacting directly with the API](https://kubebyexample.com/learning-paths/operator-framework/kubernetes-api-fundamentals/interacting-directly-api) > * [\* Kubernetes API Basics - Resources, Kinds, and Objects](https://iximiuz.com/en/posts/kubernetes-api-structure-and-terminology/) > * [Accessing Clusters](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/) > * [\* one-page api reference for kubernetes v1.24](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/) > * [\* API Access Control](https://kubernetes.io/docs/reference/access-authn-authz/) > * [using api](https://kubernetes.io/docs/reference/using-api/) > * [customizing components with the kubeadm api](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/) > * [workload resources](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/) > * Pod > * PodTemplate > * ReplicationController > * ReplicaSet > * Deployment > * StatefulSet > * ControllerRevision > * DaemonSet > * Job > * CronJob > * HorizontalPodAutoscaler > * PriorityClass > * [service resources](https://kubernetes.io/docs/reference/kubernetes-api/service-resources/) > * Service > * Endpoints > * EndpointSlice > * Ingress > * IngressClass > * [config and storage resources](https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/) > * [authentication resources](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/) > * [authorization resources](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/) > * [policy resources](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/) > * [cluster resources](https://kubernetes.io/docs/reference/kubernetes-api/cluster-resources/) > * Node > * Namespace > * Event > * APIService > * Lease > * RuntimeClass > * FlowSchema v1beta2 > * PriorityLevelConfiguration v1beta2 > * Binding > * ComponentStatus > * [common definitions](https://kubernetes.io/docs/reference/kubernetes-api/common-definitions/) > {% endhint %} > \[!NOTE] There are several different proxies you may encounter when using Kubernetes: > > * The kubectl proxy: > * runs on a user's desktop or in a pod > * proxies from a localhost address to the Kubernetes apiserver > * client to proxy uses HTTP > * proxy to apiserver uses HTTPS > * locates apiserver > * adds authentication headers > > \- The apiserver proxy: - is a bastion built into the apiserver - connects a user outside of the cluster to cluster IPs which otherwise might not be reachable - runs in the apiserver processes - client to proxy uses HTTPS (or http if apiserver so configured) - proxy to target may use HTTP or HTTPS as chosen by proxy using available information - can be used to reach a Node, Pod, or Service - does load balancing when used to reach a Service > > \- The kube proxy: - runs on each node - proxies UDP and TCP - does not understand HTTP - provides load balancing - is only used to reach services > > \- A Proxy/Load-balancer in front of apiserver(s): - existence and implementation varies from cluster to cluster (e.g. nginx) - sits between all clients and one or more apiservers - acts as load balancer if there are several apiservers. > > \- Cloud Load Balancers on external services: - are provided by some cloud providers (e.g. AWS ELB, Google Cloud Load Balancer) - are created automatically when the Kubernetes service has type LoadBalancer - use UDP/TCP only - implementation varies by cloud provider. ![kubernetes API structure](/files/GpVaGZCukTtzqbhiMBLC) > \[!NOTE|label:tips:] > > * get server > > ```bash > $ server=$(kubectl config view -ojsonpath="{.clusters[*].cluster.server}") > ``` > * get default sa name > > ```bash > $ name=$(kubectl get sa -n default default -ojsonpath="{.secrets[].name}") > ``` > * get token > > ```bash > $ token=$(kubectl get secrets -n default $(kubectl get sa -n default default -ojsonpath="{.secrets[].name}") -o jsonpath="{.data.token}" | base64 -d) > ``` > * get cacert > > ```bash > $ cacert=$(kubectl config view --raw -ojsonpath="{.clusters[].cluster.certificate-authority-data}" | base64 -d) > ``` > * [curl HEAD](https://datatracker.ietf.org/doc/html/rfc6750) > > ```bash > -H "Authorization: Bearer $token" > ``` > * API path > > ```bash > $ ${server}/api/ > ``` ### acess cluster ```bash $ APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}') # or get via cluster name of `kubernetes-staging` $ APISERVER=$(kubectl config view -o jsonpath='{.clusters[?(@.name == "kubernetes-staging")].cluster.server}') $ TOKEN=$(kubectl get secret default-token -o jsonpath='{.data.token}' | base64 --decode) $ curl ${APISERVER}/api --header "Authorization: Bearer ${TOKEN}" --insecure ``` * or ```bash $ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ") # or via jsonpath $ APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}') # or get via cluster name of `kubernetes-staging` $ APISERVER=$(kubectl config view -o jsonpath='{.clusters[?(@.name == "kubernetes-staging")].cluster.server}') $ TOKEN=$(kubectl describe secret default-token | grep -E '^token' | cut -f2 -d':' | tr -d " ") $ curl ${APISERVER}/api --header "Authorization: Bearer ${TOKEN}" --insecure { "kind": "APIVersions", "versions": [ "v1" ], "serverAddressByClientCIDRs": [ { "clientCIDR": "0.0.0.0/0", "serverAddress": ":6443" } ] } ``` #### [access cluster with cacert](https://blog.codefarm.me/2021/12/18/access-kubernetes/) ```bash $ curl --include \ --cacert <(kubectl config view --raw -ojsonpath="{.clusters[].cluster.certificate-authority-data}" | base64 -d) \ ${server}/api/ -H "Authorization: Bearer $token" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://imarslo.gitbook.io/book/virtualization/kubernetes/api.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.