大多数K8S API资源类型是“objects”,代表群集上的概念的具体实例,如pod或namespace。少数API资源类型是虚拟,通常表示操作而不是对象,例如权限检查。所有对象都将具有唯一的名称以允许幂等创建和检索,但如果虚拟资源类型不可检索或不依赖于幂等,则虚拟资源类型可能不具有唯一名称。
1.使用kubectl代理访问
1.1。本地监听
启动kubectl proxy,不带任何参数只在本地监听,使用的是http协议,无需提供任何凭证就可以访问
kubectl proxy Starting to serve on 127.0.0.1:8001
验证API访问
curl http://127.0.0.1:8001/api/
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.3.101:6443"
}
]
}
1.2。网络监听
启动kubectl proxy,使用网卡IP,从其他机器访问, – accept-hosts =’^ * $’表示接受所有源IP,否则会显示不被授权
kubectl proxy --address='192.168.3.101' --accept-hosts='^*$' --port=8001
Starting to serve on 192.168.3.101:8001
curl http://192.168.3.101:8001/api/
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.3.101:6443"
}
]
}
2.直接访问API
2.1。获取集群名称和API地址
kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'
export CLUSTER_NAME="kubernetes"
APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")
2.2。使用serviceaccount来访问
创建serviceaccount并绑定集群角色集群管理员
kubectl create seviceaccount sa-panmeng kubectl create clusterrolebinding sa-panmeng-cluster-admin --clusterrole='cluster-admin' --serviceaccount=default:sa-panmeng
获取seviceaccount sa-panmeng的秘密令牌
TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='sa-panmeng')].data.token}"|base64 -d)
使用令牌访问API
curl --header "Authorization: Bearer $TOKEN" --insecure -X GET $APISERVER/api/v1/namespaces/test/pods?limit=1 curl --header "Authorization: Bearer $TOKEN" --insecure -X GET $APISERVER/api/v1/namespaces/default/pods?limit=1 curl --header "Authorization: Bearer $TOKEN" --insecure -X GET $APISERVER/api/v1/namespaces/kube-system/pods?limit=1
serviceaccount虽然是区分命名空间的,但是不影响使用这个令牌访问所有的命名空间的资源
2.3。使用useraccount来访问
创建用户panmeng的证书
openssl genrsa -out panmeng.key 2048 openssl req -new -key panmeng.key -out panmeng.csr -subj "/CN=panmeng" openssl x509 -req -in panmeng.csr -out panmeng.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
创建角色getpods,创建角色绑定用户panmeng和角色getpods
kubectl create role getpods --verb=get --verb=list --resource=pods kubectl create rolebinding panmeng-getpods --role=getpods --user=panmeng --namespace=default
验证访问是否正常
curl --cert /etc/kubernetes/pki/panmeng.crt -X GET $APISERVER/api/v1/namespaces/default/pods?limit=1 --key /etc/kubernetes/pki/panmeng.key --insecure
验证用户panmeng不具备访问namespace kube-system的权限
curl --cert /etc/kubernetes/pki/panmeng.crt -X GET $APISERVER/api/v1/namespaces/kube-system/pods?limit=1 --key /etc/kubernetes/pki/panmeng.key --insecure
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "pods is forbidden: User \"panmeng\" cannot list resource \"pods\" in API group \"\" in the namespace \"kube-system\"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
3.常用的API资源
以下为常用资源的URL路径,将/的API /组/ VERSION /替换为/ API / V1 /,则表示基础API组
/apis/GROUP/VERSION/RESOURCETYPE /apis/GROUP/VERSION/RESOURCETYPE/NAME /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME /apis/GROUP/VERSION/RESOURCETYPE/NAME/SUBRESOURCE /apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE
查看扩展API里的资源部署
curl http://127.0.0.1:8001/apis/extensions/v1beta1/namespaces/kube-system/deployments
查看基础API里的资源荚
curl http://127.0.0.1:8001/api/v1/namespaces/kube-system/pods/
3.1。使用观看持续监控资源的变化
curl http://127.0.0.1:8001/api/v1/namespaces/test/pods "resourceVersion": "2563046" curl http://127.0.0.1:8001/api/v1/namespaces/test/pods?watch=1&resourceVersion=2563046
3.2。查看前Ñ个资源
curl http://127.0.0.1:8001/api/v1/namespaces/kube-system/pods?limit=1 "continue": "eyJ2IjoibWV0YS5rOHMuaW8vdjEiLCJydiI6MjU2NDk2Mywic3RhcnQiOiJjYWxpY28tbm9kZS1jejZrOVx1MDAwMCJ9"
使用继续令牌查看下n个资源
curl 'http://127.0.0.1:8001/api/v1/namespaces/kube-system/pods?limit=1&continue=eyJ2IjoibWV0YS5rOHMuaW8vdjEiLCJydiI6MjU3MTYxMSwic3RhcnQiOiJjYWxpY28ta3ViZS1jb250cm9sbGVycy01Y2JjY2NjODg1LWt2bGRyXHUwMDAwIn0'
4.资源的类型
资源分类:工作负载,发现和LB,配置和存储,集群,元数据
资源对象:资源ObjectMeta,ResourceSpec,ResourceStatus
资源操作:创建,更新(替换和补丁),读取(获取和列表和监视),删除,回滚,读/写规模,读取/写状态
5.Workloads的操作
以pod为例,介绍工作负载apis,以下为pod的yaml文件
apiVersion: v1
kind: Pod
metadata:
name: pod-example
spec:
containers:
- name: ubuntu
image: ubuntu:trusty
command: ["echo"]
args: ["Hello World"]
5.1。创建荚
POST / api / v1 / namespaces / {namespace} / pods
查看当前pods
# kubectl -n test get pods NAME READY STATUS RESTARTS AGE
使用API创建荚
curl --request POST http://127.0.0.1:8001/api/v1/namespaces/test/pods -s -w "状态码是:%{http_code}\n" -o /dev/null -H 'Content-Type: application/yaml' --data 'apiVersion: v1
kind: Pod
metadata:
name: pod-example
spec:
containers:
- name: ubuntu
image: ubuntu:trusty
command: ["echo"]
args: ["Hello World"]'
状态码是:201
查看当前荚
#kubectl -n test get pods NAME READY STATUS RESTARTS AGE pod-example 0/1 ContainerCreating 0 4s
状态码
200 Ok
201创建
202接受
5.2。删除荚
DELETE / api / v1 / namespaces / {namespace} / pods / {name}
查看当前pods
kubectl get pods -n test --show-labels NAME READY STATUS RESTARTS AGE LABELS pod-example 0/1 CrashLoopBackOff 1 15s
删除pod pod-example
curl --request DELETE http://127.0.0.1:8001/api/v1/namespaces/test/pods/pod-example -o /dev/null -s -w "状态码是:%{http_code}\n"
状态码是:200
查看当前荚
kubectl get pods -n test --show-labels NAME READY STATUS RESTARTS AGE LABELS pod-example 0/1 Terminating 2 28s
状态码
200 Ok
202接受
