kubernetes笔记 – 用卷曲操作API

2023年 7月 9日 35.1k 0

大多数K8S API资源类型是“objects”,代表群集上的概念的具体实例,如pod或namespace。少数API资源类型是虚拟,通常表示操作而不是对象,例如权限检查。所有对象都将具有唯一的名称以允许幂等创建和检索,但如果虚拟资源类型不可检索或不依赖于幂等,则虚拟资源类型可能不具有唯一名称。

1.使用kubectl代理访问
1.1。本地监听

启动kubectl proxy,不带任何参数只在本地监听,使用的是http协议,无需提供任何凭证就可以访问

kubectl proxy 
Starting to serve on 127.0.0.1:8001

验证API访问

curl http://127.0.0.1:8001/api/
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "192.168.3.101:6443"
    }
  ]
}
1.2。网络监听

启动kubectl proxy,使用网卡IP,从其他机器访问, – accept-hosts =’^ * $’表示接受所有源IP,否则会显示不被授权

kubectl proxy --address='192.168.3.101'  --accept-hosts='^*$' --port=8001   
Starting to serve on 192.168.3.101:8001
curl  http://192.168.3.101:8001/api/
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "192.168.3.101:6443"
    }
  ]
}
2.直接访问API
2.1。获取集群名称和API地址
kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'
export CLUSTER_NAME="kubernetes"
APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")
2.2。使用serviceaccount来访问

创建serviceaccount并绑定集群角色集群管理员

kubectl create seviceaccount  sa-panmeng 
kubectl create clusterrolebinding   sa-panmeng-cluster-admin --clusterrole='cluster-admin' --serviceaccount=default:sa-panmeng

获取seviceaccount sa-panmeng的秘密令牌

TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='sa-panmeng')].data.token}"|base64 -d)

使用令牌访问API

curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET $APISERVER/api/v1/namespaces/test/pods?limit=1
curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET $APISERVER/api/v1/namespaces/default/pods?limit=1
curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET $APISERVER/api/v1/namespaces/kube-system/pods?limit=1

serviceaccount虽然是区分命名空间的,但是不影响使用这个令牌访问所有的命名空间的资源

2.3。使用useraccount来访问

创建用户panmeng的证书

openssl genrsa -out panmeng.key 2048
openssl req -new -key panmeng.key -out panmeng.csr -subj "/CN=panmeng"
openssl x509 -req -in panmeng.csr -out panmeng.crt -sha1 -CA ca.crt -CAkey ca.key  -CAcreateserial -days 3650

创建角色getpods,创建角色绑定用户panmeng和角色getpods

kubectl create role getpods --verb=get --verb=list --resource=pods
kubectl create rolebinding panmeng-getpods --role=getpods --user=panmeng --namespace=default

验证访问是否正常

curl --cert /etc/kubernetes/pki/panmeng.crt   -X GET $APISERVER/api/v1/namespaces/default/pods?limit=1 --key /etc/kubernetes/pki/panmeng.key  --insecure

验证用户panmeng不具备访问namespace kube-system的权限

curl --cert /etc/kubernetes/pki/panmeng.crt   -X GET $APISERVER/api/v1/namespaces/kube-system/pods?limit=1 --key /etc/kubernetes/pki/panmeng.key  --insecure
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "pods is forbidden: User \"panmeng\" cannot list resource \"pods\" in API group \"\" in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403
}
3.常用的API资源

以下为常用资源的URL路径,将/的API /组/ VERSION /替换为/ API / V1 /,则表示基础API组

/apis/GROUP/VERSION/RESOURCETYPE
/apis/GROUP/VERSION/RESOURCETYPE/NAME
/apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE
/apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME
/apis/GROUP/VERSION/RESOURCETYPE/NAME/SUBRESOURCE
/apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE

查看扩展API里的资源部署

curl  http://127.0.0.1:8001/apis/extensions/v1beta1/namespaces/kube-system/deployments

查看基础API里的资源荚

curl  http://127.0.0.1:8001/api/v1/namespaces/kube-system/pods/
3.1。使用观看持续监控资源的变化
curl  http://127.0.0.1:8001/api/v1/namespaces/test/pods
"resourceVersion": "2563046"
curl  http://127.0.0.1:8001/api/v1/namespaces/test/pods?watch=1&resourceVersion=2563046
3.2。查看前Ñ个资源
curl  http://127.0.0.1:8001/api/v1/namespaces/kube-system/pods?limit=1
"continue": "eyJ2IjoibWV0YS5rOHMuaW8vdjEiLCJydiI6MjU2NDk2Mywic3RhcnQiOiJjYWxpY28tbm9kZS1jejZrOVx1MDAwMCJ9"

使用继续令牌查看下n个资源

curl  'http://127.0.0.1:8001/api/v1/namespaces/kube-system/pods?limit=1&continue=eyJ2IjoibWV0YS5rOHMuaW8vdjEiLCJydiI6MjU3MTYxMSwic3RhcnQiOiJjYWxpY28ta3ViZS1jb250cm9sbGVycy01Y2JjY2NjODg1LWt2bGRyXHUwMDAwIn0'
4.资源的类型

资源分类:工作负载,发现和LB,配置和存储,集群,元数据
资源对象:资源ObjectMeta,ResourceSpec,ResourceStatus
资源操作:创建,更新(替换和补丁),读取(获取和列表和监视),删除,回滚,读/写规模,读取/写状态

5.Workloads的操作

以pod为例,介绍工作负载apis,以下为pod的yaml文件

apiVersion: v1
kind: Pod
metadata:
  name: pod-example
spec:
  containers:
  - name: ubuntu
    image: ubuntu:trusty
    command: ["echo"]
    args: ["Hello World"]
5.1。创建荚

POST / api / v1 / namespaces / {namespace} / pods
查看当前pods

# kubectl -n test get pods
NAME       READY   STATUS             RESTARTS   AGE

使用API​​创建荚

curl --request POST http://127.0.0.1:8001/api/v1/namespaces/test/pods -s -w "状态码是:%{http_code}\n" -o /dev/null -H 'Content-Type: application/yaml' --data 'apiVersion: v1
kind: Pod
metadata:
  name: pod-example
spec:
  containers:
  - name: ubuntu
    image: ubuntu:trusty
    command: ["echo"]
    args: ["Hello World"]'
状态码是:201

查看当前荚

#kubectl -n test get pods
NAME          READY   STATUS              RESTARTS   AGE
pod-example   0/1     ContainerCreating   0          4s

状态码
200 Ok
201创建
202接受

5.2。删除荚

DELETE / api / v1 / namespaces / {namespace} / pods / {name}
查看当前pods

kubectl get pods -n test --show-labels
NAME          READY   STATUS             RESTARTS   AGE     LABELS
pod-example   0/1     CrashLoopBackOff   1          15s     

删除pod pod-example

curl --request DELETE http://127.0.0.1:8001/api/v1/namespaces/test/pods/pod-example -o /dev/null  -s -w "状态码是:%{http_code}\n" 
状态码是:200

查看当前荚

kubectl get pods -n test --show-labels
NAME          READY   STATUS             RESTARTS   AGE     LABELS
pod-example   0/1     Terminating        2          28s     

状态码
200 Ok
202接受

相关文章

KubeSphere 部署向量数据库 Milvus 实战指南
探索 Kubernetes 持久化存储之 Longhorn 初窥门径
征服 Docker 镜像访问限制!KubeSphere v3.4.1 成功部署全攻略
那些年在 Terraform 上吃到的糖和踩过的坑
无需 Kubernetes 测试 Kubernetes 网络实现
Kubernetes v1.31 中的移除和主要变更

发布评论