From a Kubernetes node, how can I access API server, how can I find out the API endpoint and handle authentication? It is a Windows node by the way.
I'm surprised that there is not much information I could find on the Internet about this, is accessing Kubernetes API from node directly a bad design?
"From the node" sound like a fringe use case, like addons, which are usually covered by using the "admin.conf" file that was deployed during node attachement and contains whatever you would need to connect to the api server.
A more usual approach would be to deploy your workload in a Pod which service account would have the proper role binding to access the API server.
How to access Kubernetes API from node directly?
There are multiple ways , one of the way is from master node
# Get API Server URL:
kubectl cluster-info
#access it using the curl
curl https://<api serverIP>:6443/api/v1/nodes --cacert /etc/srv/kubernetes/pki/ca-certificates.crt --cert /var/lib/kubelet/pki/kubelet-client.crt --key /var/lib/kubelet/pki/kubelet-client.key
how can I find out the API endpoint and handle authentication?
One technique i use is using --v=11 with kubectl commands , it will give endpoints of the kubernetes resources
#example :
kubectl get pods --v=11 2>&1 | grep GET
I1229 10:20:41.098241 42907 round_trippers.go:423] curl -k -v -XGET -H "Accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json" -H "User-Agent: kubectl/v1.19.4 (linux/amd64) kubernetes/d360454" 'https://10.157.160.165:6443/api/v1/namespaces/default/pods?limit=500'
I1229 10:20:41.116964 42907 round_trippers.go:443] GET https://<apiserver>:6443/api/v1/namespaces/default/pods?limit=500 200 OK in 18 milliseconds
It is a Windows node by the way
Ideally above steps should work , May be you need to find out equivalent commands for grep & curl. change location of the certs to appropriate locations. you can find the location of certs from admin.conf file.
Related
Forgive me for asking a stupid question but I can't seem to find anywhere in the Kubernetes API reference how to query logs via the REST API if there's more than one container running inside the pod?
cURL -k -H Authorization: Bearer my-super-secret-token https://kubernetes/api/v1/namespaces/default/pods/my-app-1/log
Returns:
{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"a
container name must be specified for pod my-app-1,
choose one of: [nginx php-fpm]","reason":"BadRequest","code":400}
I tried:
cURL -k -H Authorization: Bearer my-super-secret-token https://kubernetes/api/v1/namespaces/default/pods/my-app-1/nginx/log
and it results in an error that the resource can't be found.
How do I specify the container name when making an HTTP request to the API?
Figured it out - I needed to add container using a query parameter:
?container=nginx
Working Example:
cURL -k -H Authorization: Bearer my-super-secret-token https://kubernetes/api/v1/namespaces/default/pods/my-app-1/log?container=nginx
Small question regarding Hashicorp Vault please.
I have a secret in Vault, under cubbyhole/mytestkey
If I log in to the web UI, I can see the key mytestkey and its value under cubbyhole
If I use the Vault CLI, running vault read /cubbyhole/mytestkey, I do get the result.
vault read /cubbyhole/mytestkey
Key Value
--- -----
mytestkey mytestvalue
However, when I use via curl (The token should be correct, since I used it to connect to Vault web UI), I get:
curl -vik -H "X-Vault-Token: token" https://remote-vault/cubbyhole/mytestkey
HTTP 404
May I ask what is the issue with my curl command? A path issue? And the correct one would be?
Thank you
Your REST API endpoint is missing the port and the version of the API. You can update it to:
curl -vik -H "X-Vault-Token: token" https://remote-vault:8200/v1/cubbyhole/mytestkey
and modify the port if running on the non-default 8200.
You can find more information in the relevant documentation.
I am wondering how do I create a kube config file for my Kubernetes cluster programatically so I can use it with kubectl in IBM Cloud.
To generate a Kube config file to use with kubectl you can do the following via curl to generate the file.
First you will need to get your bearer and refresh token. There are a couple ways to do this. If you have an API key you [can generate your tokens here.
Once you have your tokens you can call the following API.
POST https://containers.cloud.ibm.com/global/v1/clusters/clusterid/config.
That will give you a zipped file with the kube config and relevant certificates.
curl --location --request GET 'https://containers.cloud.ibm.com/global/v1/clusters/xxx/config' \
--header 'Authorization: mybearertoken' \
--header 'X-Auth-Refresh-Token: myrefreshtoken' >> kubeconfig.zip
Replace mybearertoken and myrefreshtoken with the correct values from here.
I am implementing vault for storing and accessing the secrets for my docker containers on other VM by installing vault in that docker container as well.
Is there any way that I could access secrets from my docker containers in another machine without installing hashicorp-vault on those containers.
In order to access secrets from Vault you will need to authenticate, retrieve vault token and access the relevant secrets.
There are multiple authentication methods (user/pass, LDAP, JWT...). Read about it here and decide which method fits your needs
Vault exposes rest api, which means that you don't need to install anything in order to access it. Just send the relevant http request.
For example - here is the kv http api (and an example - to list secrets)
$ curl \
--header "X-Vault-Token: ..." \
--request LIST \
https://127.0.0.1:8200/v1/secret/metadata/my-secret
You can add multiple listeners in the vault configs.
listener "tcp" {
address = "127.0.0.1:8200"
}
listener "tcp" {
address = "<your_server_ip>:8200"
tls_cert_file = path/to/certfile
tls_key_file = path/to/keyfile
}
References
https://www.vaultproject.io/docs/configuration/listener/tcp.html
I'm writing an application to monitor a kubernetes cluster running on Google Container Engine. On the host where my application deployed, there are no kubectl and gcloud CLI nor are they allowed to be installed. So I am trying to do everything through REST API.
For creating the cluster through REST, I can use GCE Rest API with bearer token retrieved from Google OAuth Playground. Something like:
curl -i -X GET -H "Accept: application/json" -H "Content-Type: application/json" -H "Content-Length: 0" -H "Authorization: Bearer $MyBearerToken https://container.googleapis.com/v1/projects/$PROJECT_ID/zones/$ZONE/serverconfig
I can also find Kubernetes REST API reference here. So my question is: How do I retrieve, say pod information, from my GCE Kubernetes cluster, using REST api and REST api only?
I tried with kubectl get pods --v=8, and it's using GET https://${Kubenetes_IP}/api/v1/namespaces/default/pods. But when I use the same api endpoint to curl with my GCE bearer. It gives me Unzuthorized error message.
# curl --insecure -H "Authorization: Bearer $MyBearerToken" https://${Kubenetes_IP}/api/v1/namespaces/default/pods
Unauthorized
I am guessing because I need to use a different bearer token, or some other authentication method. I am wondering if anyone got a quick programtic one-liner? (Without resorting to kubectl or gcloud)
Reference
This answer affirms that there is a way using bearer token, but didn't give a pointer or example
This answer also seems promising, but all the link provided are broken (and api are deprecated as well)
This answer assumes kubectl and gcloud are installed, which is not allowed in my current use case.
Token can be retrieve from Google OAuth Playground
Kubernetes can be reached by the following curl command via REST API
# curl --insecure -H "Authorization: Bearer $MyBearerToken" https://${Kubenetes_IP}/api/v1/namespaces/default/pods
Kubernetes Master IP can be retrieved with kubectl get pods --v=8 and it could probably be retrieved somewhere from GCE Web GUI as well.
Full Kubernetes REST API can be found here
Make sure the token has not yet expired, and I think right now the default TTL is 1 hour.
When you authorize the OAuth2 playground to give you a token, it exchanges an Authorization Code for a Refresh Token and an Access Token.
The Access Token (from the OAuth2 playground) is valid for 1 hour.
The Refresh Token is a long-lived credential that is used to obtain new Access Tokens from the Authorization Server.
If you try to authenticate to the "Resource Owner" (in this case, Kubernetes) with an expired access token, it will respond with an HTTP 401 error.