Accessing the Kubernetes API

The Kubernetes API server is secure, requiring all incoming connections to be authenticated. There are two common ways of connecting and securely communicating with the Kubernetes API server. The first one is by using the reverse proxy functionality of kubectl and the second one is by using the API server credentials. These approaches can be summarized as follows:

  • The reverse proxy Kubernetes API with kubectl:
    • The Kubectl proxy command starts a proxy server between the localhost and the Kubernetes API server.
    • All incoming requests are forwarded to the remote Kubernetes API server port.
    • The API server identity is verified by using self-signed certificates so that no Man-in-the-Middle (MITM) attacks are is possible.
    • kubectl handles authentication to the API server. This is a recommended approach in the official Kubernetes documentation.
    • Further development is ongoing; client-side load balancing and failover features could be provided in the future.
  • Provides the API server address and credentials directly:
    • The API server address and credentials are available within and outside the cluster and they can be provided as parameters.
    • This is an alternative approach and should be used as a last resort if the client application cannot work with a reversed proxy.
    • In order to protect from MITM attacks, certificates should be imported to the clients, for example, through browsers.

In the following activity, connecting to the Kubernetes API by using the kubectl proxy is carried out to create a new Kubernetes namespace. With this method, kubectl securely connects to the API server with its own credentials and creates a proxy for the applications on the local system.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.14.221.113