kubernetes之使用http rest api訪問集羣

系列目錄

在Kubernetes集羣中，API Server是集羣管理API的入口，由運行在Master節點上的一個名爲kube-apiserver的進程提供的服務。 用戶進入API能夠經過kubectl、客戶端庫或者http rest，User 或者 Service Account能夠被受權進入API。當一個請求到達API時， 每每要通過幾個階段的安全控制，在一個典型的應用集羣中，API Server一般會使用自簽名的證書提供HTTPS服務，同時開啓認證與受權等安全機制。

一般，在Kubernetes集羣搭建以後，除了使用官方的kubectl工具與API Server進行交互，咱們還可使用Postman或者curl了，有些時候直接使用curl功能更強大， 與API Server交互一般須要首先建立一個有正確權限的ServiceAccount，這個ServiceAccount經過ClusterRole/Role、ClusterRoleBinding/RoleBinding等給其賦予相關資源的操做權限， 而Service Account對應的Token則用於API Server進行基本的認證。與API Server的交互是基於TLS，因此請求的時候還須要自簽名的證書，固然也能夠非安全方式鏈接API Server， 可是不推薦。

建立ServiceAccount

前面咱們講到過ServiceAccount,它相似於傳統登錄裏的用戶.建立一個ServiceAccount之後,會自動爲它建立一個關聯的secret(密鑰)

咱們建立一個名爲apiviewer的ServiceAccount

[centos@k8s-master ~]$ kubectl create sa apiviewer
serviceaccount/apiviewer created

咱們能夠查看這個sa對應的secret的名字

[centos@k8s-master ~]$ kubectl get sa apiviewer  -ojson
{
    "apiVersion": "v1",
    "kind": "ServiceAccount",
    "metadata": {
        "creationTimestamp": "2019-05-27T08:09:56Z",
        "name": "apiviewer",
        "namespace": "default",
        "resourceVersion": "16750207",
        "selfLink": "/api/v1/namespaces/default/serviceaccounts/apiviewer",
        "uid": "d078f034-8056-11e9-99bc-0050568417a2"
    },
    "secrets": [
        {
            "name": "apiviewer-token-z5bpq"
        }
    ]
}

咱們可使用secretes裏的name去查看這個secretes的值

apiviewer-token-z5bpq[centos@k8s-master ~]$ kubectl describe secret apiviewer-token-z5bpq
Name:         apiviewer-token-z5bpq
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: apiviewer
              kubernetes.io/service-account.uid: d078f034-8056-11e9-99bc-0050568417a2

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFwaXZpZXdlci10b2tlbi16NWJwcSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhcGl2aWV3ZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJkMDc4ZjAzNC04MDU2LTExZTktOTliYy0wMDUwNTY4NDE3YTIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDphcGl2aWV3ZXIifQ.GUd7uCwTntMXhwXEGFvo62tJBTVdI_SNATDIbuxINmbmBI2bjHuQ-whRE5183AXqWiifoM0HjOGoams11f_R2Dtak3fRxPLNRGGFTMyUN1uHmwedPmsAK0GTW0xPgInyIy4SF-uI7lghrpsRzBQ4AmA2AuctwCGdXUC3YuqrZPEnla3HeF6Tz72KpddlgiA3N1T5yvoOHPL4AgQRDPGKJ6L-nEdXumg3BlTWR0ENBNgzAz2eh6RZLRSsKlG0zQ8vhApkMGru7k5a_PKkU3Z3b0ZhKBKmE_LsMJ7bAunr9J9bbG--Id4rnuPpcj1DoJ0ZlJ3G1IP3xTUVncxO_gV4VQ

咱們熟練了可使用一條命令

apiviewer-token-z5bpq[centos@k8s-master ~]$ kubectl describe secret `kubectl get sa apiviewer -ojsonpath='{.secrets[0].name}'`
Name:         apiviewer-token-z5bpq
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: apiviewer
              kubernetes.io/service-account.uid: d078f034-8056-11e9-99bc-0050568417a2

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFwaXZpZXdlci10b2tlbi16NWJwcSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhcGl2aWV3ZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJkMDc4ZjAzNC04MDU2LTExZTktOTliYy0wMDUwNTY4NDE3YTIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDphcGl2aWV3ZXIifQ.GUd7uCwTntMXhwXEGFvo62tJBTVdI_SNATDIbuxINmbmBI2bjHuQ-whRE5183AXqWiifoM0HjOGoams11f_R2Dtak3fRxPLNRGGFTMyUN1uHmwedPmsAK0GTW0xPgInyIy4SF-uI7lghrpsRzBQ4AmA2AuctwCGdXUC3YuqrZPEnla3HeF6Tz72KpddlgiA3N1T5yvoOHPL4AgQRDPGKJ6L-nEdXumg3BlTWR0ENBNgzAz2eh6RZLRSsKlG0zQ8vhApkMGru7k5a_PKkU3Z3b0ZhKBKmE_LsMJ7bAunr9J9bbG--Id4rnuPpcj1DoJ0ZlJ3G1IP3xTUVncxO_gV4VQ

固然,也可使用jq工具

[centos@k8s-master ~]$ kubectl describe secret `kubectl get sa apiviewer -ojson|jq -r  .secrets[].name`
Name:         apiviewer-token-z5bpq
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: apiviewer
              kubernetes.io/service-account.uid: d078f034-8056-11e9-99bc-0050568417a2

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1025 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFwaXZpZXdlci10b2tlbi16NWJwcSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhcGl2aWV3ZXIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJkMDc4ZjAzNC04MDU2LTExZTktOTliYy0wMDUwNTY4NDE3YTIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDphcGl2aWV3ZXIifQ.GUd7uCwTntMXhwXEGFvo62tJBTVdI_SNATDIbuxINmbmBI2bjHuQ-whRE5183AXqWiifoM0HjOGoams11f_R2Dtak3fRxPLNRGGFTMyUN1uHmwedPmsAK0GTW0xPgInyIy4SF-uI7lghrpsRzBQ4AmA2AuctwCGdXUC3YuqrZPEnla3HeF6Tz72KpddlgiA3N1T5yvoOHPL4AgQRDPGKJ6L-nEdXumg3BlTWR0ENBNgzAz2eh6RZLRSsKlG0zQ8vhApkMGru7k5a_PKkU3Z3b0ZhKBKmE_LsMJ7bAunr9J9bbG--Id4rnuPpcj1DoJ0ZlJ3G1IP3xTUVncxO_gV4VQ

建立ClusterRole、RoleBinding

咱們能夠從頭建立一個ClusterRole,可是k8s集羣裏默認也是有若干個ClusterRole的,咱們能夠經過kubectl get clusterrole來查看都有哪些clusterrole,這裏咱們使用一個名爲cluster-admin,把剛建立的ServiceAccount與它綁定

建立RoleBinding的命令以下

[centos@k8s-master ~]$  kubectl create rolebinding apiadmin --clusterrole cluster-admin --serviceaccount default:apiviewer
rolebinding.rbac.authorization.k8s.io/apiadmin created

獲取Bearer Token、Certificate、API Server URL

[centos@k8s-master ~]$ SECRET=$(kubectl get serviceaccount ${SERVICE_ACCOUNT} -ojsonpath='{.secrets[0].name}')

這條命令用於獲取SECRET的名稱,上面咱們已經講到過.

而後咱們就能夠用secret的名稱來獲取token了,前面也是講到過的

TOKEN=$(kubectl get secret ${SECRET} -ojsonpath='{.data.token}'|base64 -d)

使用jsonpath時,咱們須要預先知道json的結構,比較笨可是每每很是有效的辦法是先把整個json所有輸出出來,而後再根據結構截取.

因爲token是通過base64編碼過的,所以須要base64解碼

下面從secret裏把證書提取出來

kubectl get secret ${SECRET} -o jsonpath="{.data['ca\.crt']}" | base64 -d > /tmp/ca.crt

獲取API Server URL，若是API Server部署在多臺Master上，只需訪問其中一臺便可。
APISERVER=https://$(kubectl -n default get endpoints kubernetes --no-headers | awk '{ print $2 }' | cut -d "," -f 1)

經過jq -r提取全部的Pod名字

curl -s $APISERVER/api/v1/namespaces/default/pods/ --header "Authorization: Bearer $TOKEN" \
> --cacert /tmp/ca.crt  | jq -r '.items[].metadata.name'

因爲這裏不是kubectl命令,沒法再直接經過jsonpath過濾結果,這裏咱們使用jq工具來過濾.關於jq工具本章節前面部分也有介紹.想詳細瞭解的童鞋能夠參考一下.