Kubernetes是一个完全基于API的系统。使用curl或Postman等简单工具,在构建应用程序之前获取API信息更方便。
要与Kubernetes API进行交互,您需要具有正确权限的ServiceAccount,通过(Cluster)Role和RoleBinding获得。使用ServiceAccount的token进行身份验证。
由于所有通信都通过TLS进行,因此您还需要自签名证书(ca.crt)。或者,允许不安全的连接(--insecure),但不建议这样做。
创建ServiceAccount
kubectl create serviceaccount api-explorer
创建(cluster)role,授予对必要资源的访问权限。我更喜欢ClusterRoles用于可在整个系统中重用的角色。在此示例中,我授予对pod及其日志的访问权限,稍后我们将在示例用例中使用它。
cat <
参考备注:kubectl get clusterrole admin -oyaml
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: admin
resourceVersion: "3200959"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/admin
uid: 7f726a32-7c59-11e9-964d-00163e32602b
rules:
- apiGroups:
- argoproj.io
resources:
- workflows
- workflows/finalizers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
将ClusterRole绑定到当前命名空间中的ServiceAccount(例如,'default')。
kubectl create rolebinding api-explorer:log-reader --clusterrole log-reader --serviceaccount default:api-explorer
从ServiceAccount的secret中获取token和证书,以便在API请求中使用。,并用jq对json格式化。首先设置SERVICE_ACCOUNT变量。
SERVICE_ACCOUNT=api-explorer
# Get the ServiceAccount's token Secret's name
SECRET=$(kubectl get serviceaccount ${SERVICE_ACCOUNT} -o json | jq -Mr '.secrets[].name | select(contains("token"))')
# Extract the Bearer token from the Secret and decode
TOKEN=$(kubectl get secret ${SECRET} -o json | jq -Mr '.data.token' | base64 -d)
# Extract, decode and write the ca.crt to a temporary location
kubectl get secret ${SECRET} -o json | jq -Mr '.data["ca.crt"]' | base64 -d > /tmp/ca.crt
# Get the API Server location
APISERVER=https://$(kubectl -n default get endpoints kubernetes --no-headers | awk '{ print $2 }')
通过 /openapi/v2 查看API说明:
curl -s $APISERVER/openapi/v2 --header "Authorization: Bearer $TOKEN" --cacert /tmp/ca.crt | less
要获取pod的日志,请先列出所有pod。使用jq 根据 .items[].metadata.name 来查询
curl -s $APISERVER/api/v1/namespaces/default/pods/ --header "Authorization: Bearer $TOKEN" --cacert /tmp/ca.crt | jq -rM '.items[].metadata.name'
获取指定得到pod
curl -s $APISERVER/api/v1/namespaces/default/pods/example-python-python-75f5b5dcff-zvwwx/log --header "Authorization: Bearer $TOKEN" --cacert /tmp/ca.crt
到此,你可以通过API文档获取更多信息。
有时在自己的环境上使用curl 时可能会出现以下问题:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "namespace \"default\" is forbidden: User \"system:serviceaccount:default:default\" cannot get namespace/pods at the cluster scope",
"reason": "Forbidden",
"details": {
"name": "default",
"kind": "namespace"
},
"code": 403
}
很显然,没权限。这是因为要么TOKEN,要么ca.crt没获取正确。请根据上述的过程将指定的ServiceAccount对应的secret中的TOKEN和证书(ca.crt)。另外 kubectl get secret出来的是base64加密后的,kubectl describe secret 获取的是不加密的。