In this recipe, to bypass additional network settings and having to verify permissions, we will demonstrate the a minikube-created cluster with a Kubernetes proxy: it is easy to create a Kubernetes cluster on the host, and enable local proximity to an API server with a proxy entry.
First, run up a proxy for fast API request forwarding:
//curl by API endpoint
$ kubectl proxy
Starting to serve on 127.0.0.1:8001
Having worked with Kubernetes proxy for a while, you may find it is somehow annoying that the command kubectl proxy is a halt process on your terminal, forcing you to open a new channel for the following commands. To avoid this, just add & as the last parameter in your command. This & symbol in the shell will make your command run in the background:
$ kubectl proxy &
[1] 6372
Starting to serve on 127.0.0.1:8001
Be aware that you should kill this process manually if you don't use the proxy:
$ kill -j9 6372
Then, it is good to try the endpoint with a simple path, /api:
$ curl http://127.0.0.1:8001/api
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "10.0.2.15:8443"
}
]
}
Once you see some basic API server information showing as in the preceding code, congratulations! You can now play with the kubernetes RESTful API of Kubernetes.
A secured way to access the Kubernetes API server
However, if you consider accessing a more secure API server, likes a kubeadm cluster, the following items should be taken care of:
- The endpoint of the API server
- Token for authentication
We can get the required information through the following commands. And you can successfully fire the API request for the version:
$ APISERVER=$(kubectl config view | grep server | cut -f 2- -d ":" | tr -d " ")
// get the token of default service account
$ TOKEN=$(kubectl get secret --field-selector type=kubernetes.io/service-account-token -o name | grep default-token- | head -n 1 | xargs kubectl get -o 'jsonpath={.data.token}' | base64 -d)
$ curl $APISERVER/api -H "Authorization: Bearer $TOKEN" --insecure
On the other hand, you may see a message showing permission denied when accessing resources in kubeadm. If so, the solution is to bind the default service account to the role of administrator, that is cluster-admin in kubeadm system. We provide the configuration file rbac.yaml in the code bundle; please check it out if you need it:
$ curl $APISERVER/api/v1/namespaces/default/services -H "Authorization: Bearer $TOKEN" --insecure
...
"status": "Failure",
"message": "services is forbidden: User "system:serviceaccount:default:default" cannot list services in the namespace "default"",
"reason": "Forbidden",
...
$ kubectl create -f rbac.yaml
clusterrolebinding "fabric8-rbac" created
// now the API request is successful
$ curl $APISERVER/api/v1/namespaces/default/services -H "Authorization: Bearer $TOKEN" --insecure
{
"kind": "ServiceList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/namespaces/default/services",
"resourceVersion": "291954"
},
...
Be careful of the --insecure flags, since the endpoint using HTTPS protocol, and -H, add headers with a token. These are the additional ones comparing with our naive demonstration settings.