K8S API 介绍调用、使用介绍。
介绍
认证参考:Kubernetes 认证介绍
Client
–> kube-apiserver
认证字段:
- user: username, uid
- group
- extra
- API
- Request path:
- Object URL
/apis/<GROUP>/<VERSION>/namespaces/<NAMESPACE_NAME>/<KIND>[/|OBJECT_ID]
- e.g
https://<kube-master>:6443/apis/apps/v1/namespaces/default/deployment/hello-app/
- HTTP Request Method/Verb,Rest API 接口,提供如下功能:
- GET
- POST
- PUT
- PATCH
- DELETE
- DELETECOLLECTION
- LIST
- CREATE
- UPDATE
- Watch : websocket 流代理
- HTTP Redirect
- HTTP Proxy
- Resource
- SubResource
- Namespace
- API Group
default 名称空间 kubernetes svc 介绍
$ kubectl describe svc kubernetes
Name: kubernetes
Namespace: default
Labels: component=apiserver
provider=kubernetes
Annotations: <none>
Selector: <none>
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.96.0.1
IPs: 10.96.0.1
Port: https 443/TCP
TargetPort: 6443/TCP
Endpoints: 172.20.0.81:6443
Session Affinity: None
Events: <none>
它代理了控制节点的 Endpoints: 172.20.0.81:6443
扩展
- Open Policy Agent(OPA) 是一种开源的通用策略引擎,可在整个堆栈中实现统一、上下文感知的策略控制。
SPIFFE(Secure Production Identity Framework for Everyone, 每个人的安全生产身份框架)
是一套开源标准,用于在动态和异构环境中安全地进行身份识别。
API 代理
命令行方式
kubectl get --raw /apis/ | jq .
代理方式
$ kubectl proxy --port=8080
$ curl http://localhost:8080/api/v1/namespaces
$ kubectl -v=9 proxy --port=8080 --address='172.20.0.81' --disable-filter=true
$ http://172.20.0.81:8080
默认加载 ~/.kube/config
的认证信息,访问过程:
Client ----> kubectl proxy --auth--> API Server
从 Pod 中访问 Kubernetes API
k8s 的 Pod 中默认可以访问 k8s 的 API。并且会默认注入如下信息:
/var/run/secrets/kubernetes.io/serviceaccount/token
访问 API 的 token/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
验证 API 服务器的服务证书/var/run/secrets/kubernetes.io/serviceaccount/namespace
当前容器所在的 namespace
配置权限
默认在容器内没有权限访问 k8s 的 API,需要配置 ClusterRoleBinding,示例如下:
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pods-list
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: pods-list
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: pods-list
apiGroup: rbac.authorization.k8s.io
更多参考:Documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
API 调用示例
Golang 示例
golang sdk: https://github.com/kubernetes/client-go,使用时小心导入的版本,示例参考:
Python 示例
pip3 install kubernetes
from kubernetes import client, config
def main():
config.load_incluster_config()
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = v1.list_pod_for_all_namespaces(watch=False)
for i in ret.items:
print("%s\t%s\t%s" %
(i.status.pod_ip, i.metadata.namespace, i.metadata.name))
if __name__ == '__main__':
main()
Shell 示例
# 指向内部 API 服务器的主机名
APISERVER=https://kubernetes.default.svc
# 服务账号令牌的路径
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
# 读取 Pod 的名字空间
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
# 读取服务账号的持有者令牌
TOKEN=$(cat ${SERVICEACCOUNT}/token)
# 引用内部证书机构(CA)
CACERT=${SERVICEACCOUNT}/ca.crt
# 使用令牌访问 API
$ curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "172.20.0.81:6443"
}
]
}