Kubernetes - Connecting to k8s cluster - connect using APIs - Day 18

 
Day 18  - Connecting to k8s cluster  - connect using APIs
------------------------------------------------------------
2/13/2021


API -> Program
You don't want to use kubectl but want to use without it.
You want to control your cluster
You want to control API
 
API
- Program
- Roles/Role Binding


You have OS
- Server
     - Program 1 (data)
     - Program2 (mail)
     - Program3  (Webserver)

need
- network connectivity
- IP

using client PC, you want to access these programs. say program 2 (DB)
you write program and acccess through progream, these programs are API

programs
  - chrome
  - firefox
  - curl
  - kubectl

using protocols (https) you access the server program.

on k8s server, you have
- kube API services (6443)
- program/tomcat 8080

https://IP:port/dir/dir/myfile

Note: when you use a protocol like https and connect to the program using the URL,  ask the program to do something
and this kind of api is called RestAPI. k8s has lots of APIs doing something..

Go to your cluster, aws or local.



Using this URL, you can manage your infracture, such as manage your pod, deploy, destroy..

all resources on k8s comes with their API

google for "kube api references"

API group

pod,replica set, ....

pod is one kind of resource, program. ....

ip.com/../.../pods

http request ...


-------------------------

You can use kubectl, curl whatever you like.

search, chat everything you do these days are APIs. Comfortable using API is very important these days.

you can use these api for multiple purposes. You can  use these APIs to connect to third party tools like  splunk, grafana, prometheus.


Login to master node
# kc get pods

Account detail
#  /etc/kubernetes/pki


now, go back to  your local computer
# cd /kubews
# kc get pods --kubeconfig john.kubeconfig

if you review the output, you will see output API group "" ==> which means you don't have power to api

but we have assigned power to role tech

# kc get pods --kubeconfig john.kubeconfig -n tech

This is the set up from last class.

---------------------------------------
Now, lets go back to aws env
# kc get pods
we don't want to use kubectl anymore.

Now, get the IP of pod..

http request pat

# curl http://ip_of_master_node:6443
# curl http://172.30.90.30:6443
# curl https://172.30.90.30:6443

You need certificate
certificate authority..

# cd /etc/kubernetes/pki

# curl --cacert ca.crt https://172.30.90.30:6443

we got some forbidden error...

the URL does not allow direct connection, They need to go through the login process.

but there are some API available which allows annomous user to connect
one of the API is version
# curl --cacert ca.crt https://172.30.90.30:6443/version

to connect to other APIs

curl --cacert ca.crt https://172.30.90.30:6443/api/v1/namespace/default/pods

get the path from document/man page.

we have room and inside room we, have pod

# kc get pods -n default
list pod


# cd /root
cd .kube
# vi config

look for

server: IP

certificate based authentication, you don't need user/pw

CBA
user - crt   --.> say admin.crt
pw  - key  - admin.key

#
one for certificate and one for key. so two files needed

# curl -h | grep cert
# curl -h | grep key

key in seperate file and cert in seperate file

# cd /etc/kubernetes/pkg
# vi /root/.kube.config

copy text..
to copy,
go to the location and pur your cursor...
type * and type y and $ it will copy from cursor to the end of line

Go out of this file and open a new blank file say admin.crt and press * and p will copy and paste..

so admin.crt file is your certificate file..

y - yank - copy
p -paste

# curl --cert admin.crt --key admin.key -cacert ca.crt https://72.30.90.30:6443/api/v1/namespace/default/pods

got error

# when you provide certificate to any app like curl or other program, you have to provide on normal format. This cert if on encoded format base...

you have to convert this cert. Now, decode it..( with -d flag)

# cat admin.crt | openssl base64 -d
if you get error,
or use base64
# cat admin.crt | base64 -d
copy the output.


you see the output, this is the format we have to use.

# cat admin.crt | base64 -d > admin_final.crt  # format curl understand
# cat admin.key | base64 -d > admin_final.key  # format curl understand

# curl --cert admin_final.crt --key admin_final.key --cacert ca.crt https://72.30.90.30:6443/api/v1/namespace/default/pods

you get lots out data...

pod, and other info like describe command output

this is output from default namesapce

Lets try to tech namespace
# curl --cert admin_final.crt --key admin-final.key --cacert ca.crt https://72.30.90.30:6443/api/v1/namespace/default/pods

not much output

# kc get pods -n tech
nothing output is seens..

We are looking for running PODs.

how do we come to know we have pods, replicasets, api version and much more.

go to k8s site and look for other info..

# curl --cert admin_final.crt --key admin-final.key --cacert ca.crt https://72.30.90.30:6443/

You will see lots of api versions like logs, metrics (prometheus - grafana)

log management (ELK, splunk)


you can go further under api folder
# curl --cert admin_final.crt --key admin-final.key --cacert ca.crt https://72.30.90.30:6443/api

you see v1 available

go to v1,
# curl --cert admin_final.crt --key admin-final.key --cacert ca.crt https://72.30.90.30:6443/api/v1

you see further apis..
services, secrets, resources quotas.. pods, pods/proxy


to see pods status go to the URL below
# curl --cert admin_final.crt --key admin-final.key --cacert ca.crt https://72.30.90.30:6443/api/v1/namespaces/tech/pods/status

go inside folder and foler .....

version  /api   / logs   /apis
     

/versions    /readyz  / healthz  /apis        # API Groups

/apis/networking.k8s.op/


# kc get roles -n tech
# kc edit roles -n tech

.....
rules:
- apiGroups:
  - ' apps'
  resources:
  - 'deployment'