api

references:

[!NOTE] There are several different proxies you may encounter when using Kubernetes:

  • The kubectl proxy:

    • runs on a user's desktop or in a pod

    • proxies from a localhost address to the Kubernetes apiserver

    • client to proxy uses HTTP

    • proxy to apiserver uses HTTPS

    • locates apiserver

    • adds authentication headers

- The apiserver proxy: - is a bastion built into the apiserver - connects a user outside of the cluster to cluster IPs which otherwise might not be reachable - runs in the apiserver processes - client to proxy uses HTTPS (or http if apiserver so configured) - proxy to target may use HTTP or HTTPS as chosen by proxy using available information - can be used to reach a Node, Pod, or Service - does load balancing when used to reach a Service

- The kube proxy: - runs on each node - proxies UDP and TCP - does not understand HTTP - provides load balancing - is only used to reach services

- A Proxy/Load-balancer in front of apiserver(s): - existence and implementation varies from cluster to cluster (e.g. nginx) - sits between all clients and one or more apiservers - acts as load balancer if there are several apiservers.

- Cloud Load Balancers on external services: - are provided by some cloud providers (e.g. AWS ELB, Google Cloud Load Balancer) - are created automatically when the Kubernetes service has type LoadBalancer - use UDP/TCP only - implementation varies by cloud provider.

kubernetes API structure

[!NOTE|label:tips:]

  • get server

    $ server=$(kubectl config view -ojsonpath="{.clusters[*].cluster.server}")

  • get default sa name

    $ name=$(kubectl get sa -n default default -ojsonpath="{.secrets[].name}")

  • get token

    $ token=$(kubectl get secrets -n default $(kubectl get sa -n default default -ojsonpath="{.secrets[].name}") -o jsonpath="{.data.token}" | base64 -d)

  • get cacert

    $ cacert=$(kubectl config view --raw -ojsonpath="{.clusters[].cluster.certificate-authority-data}" | base64 -d)

  • curl HEAD

    -H "Authorization: Bearer $token"

  • API path

    $ ${server}/api/

acess cluster

$ APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
# or get via cluster name of `kubernetes-staging`
$ APISERVER=$(kubectl config view -o jsonpath='{.clusters[?(@.name == "kubernetes-staging")].cluster.server}')

$ TOKEN=$(kubectl get secret default-token -o jsonpath='{.data.token}' | base64 --decode)
$ curl ${APISERVER}/api --header "Authorization: Bearer ${TOKEN}" --insecure

  • or

    $ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
# or via jsonpath
$ APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
# or get via cluster name of `kubernetes-staging`
$ APISERVER=$(kubectl config view -o jsonpath='{.clusters[?(@.name == "kubernetes-staging")].cluster.server}')

$ TOKEN=$(kubectl describe secret default-token | grep -E '^token' | cut -f2 -d':' | tr -d " ")
$ curl ${APISERVER}/api --header "Authorization: Bearer ${TOKEN}" --insecure
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "<master.ip>:6443"
    }
  ]
}

access cluster with cacert

$ curl --include \
       --cacert <(kubectl config view --raw -ojsonpath="{.clusters[].cluster.certificate-authority-data}" | base64 -d) \
       ${server}/api/ -H "Authorization: Bearer $token"
PreviousauthNexttools

Last updated

Was this helpful?