Accessing a Kubernetes cluster

From MyWiki
Jump to: navigation, search

We access a Kubernetes cluster by three methods:

  • kubectl, the CLI tool
  • Kubernetes Dashboard
  • curl with the right credentials to access the cluster via APIs

$ kubectl config view
$ kubectl cluster-info
$ kubectl cluster-info dump


$ minikube dashboard
$ kubectl proxy

When kubectl proxy is running, we can send requests to the API over the localhost on the proxy port 8001 (from another terminal, since the proxy locks the first terminal):

$ curl http://localhost:8001/

We can explore every single path combination with curl or in a browser, such as:
http://localhost:8001/api/v1
http://localhost:8001/apis/apps/v1
http://localhost:8001/healthz
http://localhost:8001/metrics

APIs - without 'kubectl proxy
When not using the proxy we need to authenticate to the API server with either a Bearer Token or by providing a set of keys and certificates
A Bearer Token is an access token which is generated by the authentication server (the API server on the master node) and given back to the client.
Get the token: 

$ TOKEN=$(kubectl describe secret -n kube-system $(kubectl get secrets -n kube-system | grep default | cut -f1 -d ' ') | grep -E '^token' | cut -f2 -d':' | tr -d '\t' | tr -d " ")

Get the API server endpoint: 

$ APISERVER=$(kubectl config view | grep https | cut -f 2- -d ":" | tr -d " ")

Confirm that the APISERVER stored the same IP as the Kubernetes master IP by issuing the following 2 commands and comparing their outputs: 

$ echo $APISERVER
https://192.168.99.100:8443
 
$ kubectl cluster-info
Kubernetes master is running at https://192.168.99.100:8443 ...

Access the API server using the curl command, as shown below: 

$ curl $APISERVER --header "Authorization: Bearer $TOKEN" --insecure
{
 "paths": [
   "/api",
   "/api/v1",
   "/apis",
   "/apis/apps",
   ......
   ......
   "/logs",
   "/metrics",
   "/openapi/v2",
   "/version"
 ]
}

Instead of the access token, we can extract the client certificate, client key, and certificate authority data from the .kube/config file. Once extracted, they are encoded and then passed with a curl command for authentication. The new curl command looks similar to: 

$ curl $APISERVER --cert encoded-cert --key encoded-key --cacert encoded-ca
Retrieved from "https://wiki.twig.es/index.php?title=Accessing_a_Kubernetes_cluster&oldid=4560"