In this section, we'll create a simple application to query the Kubernetes API and get the details of the kube-system namespace. However, this application should run inside the cluster and work as a Kubernetes native application. We'll query the Kubernetes API within a cluster with the injected environment variables and certificates in the pods.
Let's begin by implementing the following steps:
- Start a cURL instance inside the cluster and wait until it is up and running:
kubectl run curl --image=tutum/curl --rm -it
- Inside the pod, check the security credentials:
ls /var/run/secrets/kubernetes.io/serviceaccount/
You'll get the following output:
- Check that the Kubernetes API server has the related environment variables:
env | grep KUBE
You'll get the following output:
- Combine all of the credentials and address information together with the following commands:
APISERVER=https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
- With the collected environment variables from Step 4, create and send an HTTP request by using cURL:
curl --header "Authorization: Bearer $TOKEN" --cacert
$CACERT $APISERVER/api/v1/namespaces/kube-system
By using the preceding command, a GET request will be sent to the /api/v1/namespaces/kube-system endpoint. In order to authenticate to the API server, a bearer token is sent as a header, and certificate authority information is provided.
As a result of this command, the requested namespace information will be retrieved from the API server:
The Kubernetes API is the core management service and it is a secure RESTful service that consumes JSON. It requires all of the clients to be authenticated, and both outside and inside cluster connections are possible. In the following section, client libraries for various programming languages are presented that implement the Kubernetes API.