[!NOTE] There are several different proxies you may encounter when using Kubernetes:

  • The kubectl proxy:
    • runs on a user's desktop or in a pod
    • proxies from a localhost address to the Kubernetes apiserver
    • client to proxy uses HTTP
    • proxy to apiserver uses HTTPS
    • locates apiserver
    • adds authentication headers

  • The apiserver proxy:
    • is a bastion built into the apiserver
    • connects a user outside of the cluster to cluster IPs which otherwise might not be reachable
    • runs in the apiserver processes
    • client to proxy uses HTTPS (or http if apiserver so configured)
    • proxy to target may use HTTP or HTTPS as chosen by proxy using available information
    • can be used to reach a Node, Pod, or Service
    • does load balancing when used to reach a Service

  • The kube proxy:
    • runs on each node
    • proxies UDP and TCP
    • does not understand HTTP
    • provides load balancing
    • is only used to reach services

  • A Proxy/Load-balancer in front of apiserver(s):
    • existence and implementation varies from cluster to cluster (e.g. nginx)
    • sits between all clients and one or more apiservers
    • acts as load balancer if there are several apiservers.

  • Cloud Load Balancers on external services:
    • are provided by some cloud providers (e.g. AWS ELB, Google Cloud Load Balancer)
    • are created automatically when the Kubernetes service has type LoadBalancer
    • use UDP/TCP only
    • implementation varies by cloud provider.
kubernetes API structure
1.6.1.10.1 -- kubernetes API structure

[!NOTE|label:tips:]

  • get server
    $ server=$(kubectl config view -ojsonpath="{.clusters[*].cluster.server}")
    
  • get default sa name

    $ name=$(kubectl get sa -n default default -ojsonpath="{.secrets[].name}")
    
  • get token

    $ token=$(kubectl get secrets -n default $(kubectl get sa -n default default -ojsonpath="{.secrets[].name}") -o jsonpath="{.data.token}" | base64 -d)
    
  • get cacert
    $ cacert=$(kubectl config view --raw -ojsonpath="{.clusters[].cluster.certificate-authority-data}" | base64 -d)
    
  • curl HEAD

    -H "Authorization: Bearer $token"
    
  • API path

    $ ${server}/api/
    

acess cluster

$ APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
# or get via cluster name of `kubernetes-staging`
$ APISERVER=$(kubectl config view -o jsonpath='{.clusters[?(@.name == "kubernetes-staging")].cluster.server}')

$ TOKEN=$(kubectl get secret default-token -o jsonpath='{.data.token}' | base64 --decode)
$ curl ${APISERVER}/api --header "Authorization: Bearer ${TOKEN}" --insecure
  • or

    $ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
    # or via jsonpath
    $ APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
    # or get via cluster name of `kubernetes-staging`
    $ APISERVER=$(kubectl config view -o jsonpath='{.clusters[?(@.name == "kubernetes-staging")].cluster.server}')
    
    $ TOKEN=$(kubectl describe secret default-token | grep -E '^token' | cut -f2 -d':' | tr -d " ")
    $ curl ${APISERVER}/api --header "Authorization: Bearer ${TOKEN}" --insecure
    {
      "kind": "APIVersions",
      "versions": [
        "v1"
      ],
      "serverAddressByClientCIDRs": [
        {
          "clientCIDR": "0.0.0.0/0",
          "serverAddress": "<master.ip>:6443"
        }
      ]
    }
    

access cluster with cacert

$ curl --include \
       --cacert <(kubectl config view --raw -ojsonpath="{.clusters[].cluster.certificate-authority-data}" | base64 -d) \
       ${server}/api/ -H "Authorization: Bearer $token"
Copyright © marslo 2020-2023 all right reserved,powered by GitbookLast Modified: 2024-03-12 15:01:30

results matching ""

    No results matching ""