references:

[!NOTE] There are several different proxies you may encounter when using Kubernetes:

  • The kubectl proxy:
    • runs on a user's desktop or in a pod
    • proxies from a localhost address to the Kubernetes apiserver
    • client to proxy uses HTTP
    • proxy to apiserver uses HTTPS
    • locates apiserver
    • adds authentication headers

  • The apiserver proxy:
    • is a bastion built into the apiserver
    • connects a user outside of the cluster to cluster IPs which otherwise might not be reachable
    • runs in the apiserver processes
    • client to proxy uses HTTPS (or http if apiserver so configured)
    • proxy to target may use HTTP or HTTPS as chosen by proxy using available information
    • can be used to reach a Node, Pod, or Service
    • does load balancing when used to reach a Service

  • The kube proxy:
    • runs on each node
    • proxies UDP and TCP
    • does not understand HTTP
    • provides load balancing
    • is only used to reach services

  • A Proxy/Load-balancer in front of apiserver(s):
    • existence and implementation varies from cluster to cluster (e.g. nginx)
    • sits between all clients and one or more apiservers
    • acts as load balancer if there are several apiservers.

  • Cloud Load Balancers on external services:
    • are provided by some cloud providers (e.g. AWS ELB, Google Cloud Load Balancer)
    • are created automatically when the Kubernetes service has type LoadBalancer
    • use UDP/TCP only
    • implementation varies by cloud provider.
kubernetes API structure
1.6.1.10.1 -- kubernetes API structure

[!NOTE|label:tips:]

  • get server
    $ server=$(kubectl config view -ojsonpath="{.clusters[*].cluster.server}")

  • get default sa name

    $ name=$(kubectl get sa -n default default -ojsonpath="{.secrets[].name}")

  • get token

    $ token=$(kubectl get secrets -n default $(kubectl get sa -n default default -ojsonpath="{.secrets[].name}") -o jsonpath="{.data.token}" | base64 -d)
  • get cacert
    $ cacert=$(kubectl config view --raw -ojsonpath="{.clusters[].cluster.certificate-authority-data}" | base64 -d)

  • curl HEAD

    -H "Authorization: Bearer $token"

  • API path

    $ ${server}/api/

acess cluster

$ APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
# or get via cluster name of `kubernetes-staging`
$ APISERVER=$(kubectl config view -o jsonpath='{.clusters[?(@.name == "kubernetes-staging")].cluster.server}')

$ TOKEN=$(kubectl get secret default-token -o jsonpath='{.data.token}' | base64 --decode)
$ curl ${APISERVER}/api --header "Authorization: Bearer ${TOKEN}" --insecure

  • or

    $ APISERVER=$(kubectl config view --minify | grep server | cut -f 2- -d ":" | tr -d " ")
# or via jsonpath
$ APISERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')
# or get via cluster name of `kubernetes-staging`
$ APISERVER=$(kubectl config view -o jsonpath='{.clusters[?(@.name == "kubernetes-staging")].cluster.server}')

$ TOKEN=$(kubectl describe secret default-token | grep -E '^token' | cut -f2 -d':' | tr -d " ")
$ curl ${APISERVER}/api --header "Authorization: Bearer ${TOKEN}" --insecure
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "<master.ip>:6443"
    }
  ]
}

access cluster with cacert

$ curl --include \
       --cacert <(kubectl config view --raw -ojsonpath="{.clusters[].cluster.certificate-authority-data}" | base64 -d) \
       ${server}/api/ -H "Authorization: Bearer $token"
Copyright © marslo 2020-2023 all right reserved,powered by GitbookLast Modified: 2024-05-16 01:41:37

results matching ""

    No results matching ""