Day 18 - Connecting to k8s cluster - connect using APIs
------------------------------------------------------------
2/13/2021
API -> Program
You don't want to use kubectl but want to use without it.
You want to control your cluster
You want to control API
API
- Program
- Roles/Role Binding
You have OS
- Server
- Program 1 (data)
- Program2 (mail)
- Program3 (Webserver)
need
- network connectivity
- IP
using client PC, you want to access these programs. say program 2 (DB)
you write program and acccess through progream, these programs are API
programs
- chrome
- firefox
- curl
- kubectl
using protocols (https) you access the server program.
on k8s server, you have
- kube API services (6443)
- program/tomcat 8080
https://IP:port/dir/dir/myfile
Note: when you use a protocol like https and connect to the program using the URL, ask the program to do something
and this kind of api is called RestAPI. k8s has lots of APIs doing something..
Go to your cluster, aws or local.
Using this URL, you can manage your infracture, such as manage your pod, deploy, destroy..
all resources on k8s comes with their API
google for "kube api references"
API group
pod,replica set, ....
pod is one kind of resource, program. ....
ip.com/../.../pods
http request ...
-------------------------
You can use kubectl, curl whatever you like.
search, chat everything you do these days are APIs. Comfortable using API is very important these days.
you can use these api for multiple purposes. You can use these APIs to connect to third party tools like splunk, grafana, prometheus.
Login to master node
# kc get pods
Account detail
# /etc/kubernetes/pki
now, go back to your local computer
# cd /kubews
# kc get pods --kubeconfig john.kubeconfig
if you review the output, you will see output API group "" ==> which means you don't have power to api
but we have assigned power to role tech
# kc get pods --kubeconfig john.kubeconfig -n tech
This is the set up from last class.
---------------------------------------
Now, lets go back to aws env
# kc get pods
we don't want to use kubectl anymore.
Now, get the IP of pod..
http request pat
# curl http://ip_of_master_node:6443
# curl http://172.30.90.30:6443
# curl https://172.30.90.30:6443
You need certificate
certificate authority..
# cd /etc/kubernetes/pki
# curl --cacert ca.crt https://172.30.90.30:6443
we got some forbidden error...
the URL does not allow direct connection, They need to go through the login process.
but there are some API available which allows annomous user to connect
one of the API is version
# curl --cacert ca.crt https://172.30.90.30:6443/version
to connect to other APIs
curl --cacert ca.crt https://172.30.90.30:6443/api/v1/namespace/default/pods
get the path from document/man page.
we have room and inside room we, have pod
# kc get pods -n default
list pod
# cd /root
cd .kube
# vi config
look for
server: IP
certificate based authentication, you don't need user/pw
CBA
user - crt --.> say admin.crt
pw - key - admin.key
#
one for certificate and one for key. so two files needed
# curl -h | grep cert
# curl -h | grep key
key in seperate file and cert in seperate file
# cd /etc/kubernetes/pkg
# vi /root/.kube.config
copy text..
to copy,
go to the location and pur your cursor...
type * and type y and $ it will copy from cursor to the end of line
Go out of this file and open a new blank file say admin.crt and press * and p will copy and paste..
so admin.crt file is your certificate file..
y - yank - copy
p -paste
# curl --cert admin.crt --key admin.key -cacert ca.crt https://72.30.90.30:6443/api/v1/namespace/default/pods
got error
# when you provide certificate to any app like curl or other program, you have to provide on normal format. This cert if on encoded format base...
you have to convert this cert. Now, decode it..( with -d flag)
# cat admin.crt | openssl base64 -d
if you get error,
or use base64
# cat admin.crt | base64 -d
copy the output.
you see the output, this is the format we have to use.
# cat admin.crt | base64 -d > admin_final.crt # format curl understand
# cat admin.key | base64 -d > admin_final.key # format curl understand
# curl --cert admin_final.crt --key admin_final.key --cacert ca.crt https://72.30.90.30:6443/api/v1/namespace/default/pods
you get lots out data...
pod, and other info like describe command output
this is output from default namesapce
Lets try to tech namespace
# curl --cert admin_final.crt --key admin-final.key --cacert ca.crt https://72.30.90.30:6443/api/v1/namespace/default/pods
not much output
# kc get pods -n tech
nothing output is seens..
We are looking for running PODs.
how do we come to know we have pods, replicasets, api version and much more.
go to k8s site and look for other info..
# curl --cert admin_final.crt --key admin-final.key --cacert ca.crt https://72.30.90.30:6443/
You will see lots of api versions like logs, metrics (prometheus - grafana)
log management (ELK, splunk)
you can go further under api folder
# curl --cert admin_final.crt --key admin-final.key --cacert ca.crt https://72.30.90.30:6443/api
you see v1 available
go to v1,
# curl --cert admin_final.crt --key admin-final.key --cacert ca.crt https://72.30.90.30:6443/api/v1
you see further apis..
services, secrets, resources quotas.. pods, pods/proxy
to see pods status go to the URL below
# curl --cert admin_final.crt --key admin-final.key --cacert ca.crt https://72.30.90.30:6443/api/v1/namespaces/tech/pods/status
go inside folder and foler .....
version /api / logs /apis
/versions /readyz / healthz /apis # API Groups
/apis/networking.k8s.op/
# kc get roles -n tech
# kc edit roles -n tech
.....
rules:
- apiGroups:
- ' apps'
resources:
- 'deployment'
Sunday, February 14, 2021
Kubernetes - Connecting to k8s cluster - connect using APIs - Day 18
Subscribe to:
Post Comments (Atom)
Git branch show detached HEAD
Git branch show detached HEAD 1. List your branch $ git branch * (HEAD detached at f219e03) 00 2. Run re-set hard $ git reset --hard 3. ...
-
snmpconfig command allow you to managge snmpv1/v3 agent configuration on SAN switch. Event trap level is mapped with event severity level....
-
Firmware upgrade on HPE SuperDom Flex 280 - prerequisites tasks a. Set up repo b. Upload firmware to your webserver 1. For foundation so...
-
Disabling the Telnet protocol on Brocade SAN switches By default, telnet is enabled on Brocade SAN switches. As part of security hardening o...
No comments:
Post a Comment