利用curl命令访问Kubernetes API server

kubectl 通过访问 Kubernetes API 来执行命令。我们也可以通过对应的TLS key, 使用curl 或是 golang client做同样的事。

API 请求必须使用 JSON 格式来发送。kubectl 的作用是将 yaml 转换为 JSON 格式进行 API 请求。

1、我们从查看 kubectl 的配置文件开始,需要:三个证书和 API server 的地址:

[root@master work]# cat /root/.kube/config 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpN21jRHpST1dSaXAKMUU3NkYwOFIvdFV6L0kzWE5XcmU4ZEpsNjlUVnhieGdsZHJhQ0V4UC93VVBaTCtJK3NOMGRBMWFtMHRLVzJJKwpVZ21ISi9aU2dIbjUvUTFNZlpCakh0VUFqTDV2VmdSSzRZV05wVnpqK1JCd0YwNWduTUF4TTVCcWRmcEZ2aGI1CkJCRThIUk9xanJIZi82QTdKN2JwTTArMXlBQmZXMGpjcERZcTlsVnRxczU3ZTl4dVdVb2Y1WENPNyszZG5KQXgKa0dxWHNxN1Z1UmsyaUM4TWZBMk9mT3M5RmdNeFpOYk1UcHZZajZ4N3JjM21NTWh5VVQwdktOaTVXanR1UG53eAptd01yeEJqRjhqOUkybVZNZUJzQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJTlc5Y0Ewc0tubm16UmVXTTFMWVhZRWRGWjEKNjIwcUVVeWs0VHV2MmxvZzlWcEtLTzhKOG5iOXdjRVcrWFB2NWYyYmtNbUtsTmxaYzJFOEIzOWloU2NiZzBmQgp4QmdpejAwYmxxMXRNNjBCTmc3d2UwM3ZnOFRlZ1hvZGRkTzd3djB6ZXo3U0tGYmg0d2VCRnN4TFNaWGtwL1VQCkNkc2s4ZllKSG1ZbVhlZ1kvTS9vWTl2OHdlVEgzRXpuWEgxY1RxaytkOVdlUWF3aHVYV3UrVC8zL0Q3dmRQYksKeUNtY3BrdmlCZUlHQXVwR0pDN0JTVzFUb05ra3h2bXRsQVZnYlVmdlh3U0srVDVHZGd0Z2lETGUzSkdHbTM1egpLVHBqWlBWL0lxYzZra1BZNFF1R3FqcFQvelMzaTNrdWI0THlBU1FjZHVNc1hUdG8zTVdmdkZxUWRGST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://172.21.0.15:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJR1VLN08xdUFIREF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T1RFeU1ETXdOekEzTXpSYUZ3MHlNREV5TURJd056QTNNemhhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWZoNUl4bndrMHRrdXdabUdnMVU2ckJ4VDgxU0RYbFgvd1kKSGEzU1BWUk9HaElURXFYS08wT09Ia3BkbEpDeGpJUm50Y005UHlybnBXK0NPVlNwb1JQSUpoLzdLWHZKTytDeApDaGk0eXlxc2pxbzE5WHlSUUNoZ2hpNnJHTnFETlVhTVd1STBOM1VUeEh2L3ozQkg2QWdIOVNvL2RKRmZXQnlkCmJzQXUrd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHTHdDVDloOGtGdHlwazhvNFM4R2pSb0xkSzZLZmhiTXhBZgowVHp3ZlBjVTlaNktyTTZIMmRtZHFGTnk2SHlrbkxWMjd2VjNtbDJ2VXVCaHpuWTJUeFF2YmFNN2drNCtVaERLCnUyY1FjQS9SaEkrYk13T0swZkFYR1RCdmxzZUJuNU1oYzNRMEthTVZURmpGbVIyRFBHaEVZLzN4L3NRbUZHRDIKN0dXUnhEcEZBSWhzUmxjR3RhR2pKdExZTEt0VU1OdlYyVVUyeThXa3NmZ1VJWVpIQXhkajM0UDV1MDQ2eE1lZQpZVlZvQXdsb0QrcjBoT0VKTEtaMi9GRjFOcm51U2xDYVoyYTVFdWFHbzM3TjBBcXVaRGMyS3hYd0N5aUc0K0ppClg2NkNqZjlObFk3ZkNQV1gzY3R0UXg2UUY1bGlTZ2NzYmVpUW9sR2ZwSXRQZ2JtY1Y2WT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeFM4LzlBVHZlOGxubU5saTNOTWRYN3dUSDBTRmdBQSsvMnZJNVZTMzFKbEVxY3JpCkF0Y1ZZekh2QVpqNURjaE16Z214NWxvMk5kRElNYytqVW12dFFUWHl1em8vOU1HdUp4dEZqTzZVcUZ6YWxUeGkKQkV5Z2ZDU3VISzlXQ1kyNmNJQm1jUjZDaEtoMWl0MHFZblFHbW9seklRV1dhaGYwcWQ4Yk9wcUJzMnZLcWVmaAo1SXhud2swdGt1d1ptR2cxVTZyQnhUODFTRFhsWC93tMXN3RkJBZGZoYnltQ1dmdXkyZG5HY2pac0xJTDFZeGdJcwpKTCtHUU5HU2FNMEQ3bVJYUGdKYnhBblpLZ2V5STFjU1VhTStER0krc3MzcXIvWGU3aDk3YTd1dUdUaWVYcllECnF0d29IK2pCc0J1ZFEyRS80MjB1a3RzUGhqZWZLRWVkbVFaR2JtNC9JWVp3U0xoNWdjNUpBNHNDZ1lFQTRHWUcKUGlNTnVmRjVpZHAvZWNZd25mZmIvR2dmNEVkWHF4cFJTQzZIWjE2OFNGK0JyclFKZWN2RDIva3RWUG52L2JHZgp2N3RWbXduNDhKYlRlYjJCczdIODV6VlAyR0RhYkJPeTBQbGRoSjNpc1ozY1p3L21rWG1QQkNjNEJJOHFKSUl1CmxGM1EyVDJUWThNeXVXM1NEdmFCYWpwaUNuazZOa3pydTFwME1GRUNnWUVBcUhTRm9ZTm5jUjBxVXNMS1VYUkMKRFIzTHQ4djlTT2JkckR5dFFyTS9iaGRkMU8yV0xlbHdqekJSWS9iTWNlaWMrZ2R3QVlLWW40eFVjSklFeDB3cgo3ckNWQlljSXRyTlcvTi9kU21xTzdSVkZnYU9SalJFMlc5dXp2SGw3bWRxRUFQSXhlcWpIU0xmOHZ5Q2w4ZTczClNLR1hXcGo2YzZ1T0tCYmsvdHl3ZHBNQ2dZQkdEOVMzSmQ2dFJiVzYwdHVtTzdrR09WTVlGYktPSmZnN1ZmWTIKNFVBcGlDeWxOQnliWFY3d0JpemF5NHZaMGtlYUlCRk9uY0QyclVCcWJjME5YNXZWYlNjWFVVL2lzU3JCUDgwKwo3ZnpDNFVEY1QvdDJ1a0kwL1kwbnNNOE9yVnh0RmJCUlpwRkVvck1ZSE9RRGZVUnVvNHg0akUzOEV5bVh0cUNMCldJeWFZUUtCZ0Izd3lhZXArWEU2ZlFiR2l6bzV2T0lhMXZkdzhSRFZLbHVMYUg0L0xLRjg4OVEySkt4a014WjEKckxjNVNHN295VVlhZmZZK2J3aGVYMDRpQldPaVFVRnhHZmFkQll3eWZjK3BGRUNGVW1YdFNuZGMzQmNBVCs2Lwp3dnVJNHdDTTgrYysrem53YURXZ3dUeUxTQllaVzFwSkRyTGRHcDROUENlNGNPNjZLVnVXCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

2、我们将会把证书设为环境变量。在设置时候请检查每一个参数。我们从 client-certificate-data 开始。

export clientcert=$(grep client-cert ~/.kube/config |cut -d" " -f 6)
echo $clientcert

3、使用类似的命令将 client-key-data 保存为环境变量

export clientkey=$(grep client-key-data ~/.kube/config |cut -d" " -f 6)
echo $clientkey

4、然后是 certificate-authority-data

export certauth=$(grep certificate-authority-data ~/.kube/config |cut -d" " -f 6)
echo $certauth

5、加密这些变量,供 curl 使用:

[root@master k8s-cert]# echo $clientcert | base64 -d > ./client.pem
[root@master k8s-cert]# echo $clientkey | base64 -d > ./client-key.pem
[root@master k8s-cert]# echo $certauth | base64 -d > ./ca.pem

6、从配置文件中读取 server 地址:

kubectl config view |grep serverserver: https://172.21.0.15:6443

7、使用 curl 和刚刚加密的密钥文件来访问 API server:

curl --cert ./client.pem --key ./client-key.pem --cacert ./ca.pem https://172.21.0.15:6443/api/v1/pods
上一篇:自建CA及吊销证书


下一篇:openssl命令学习笔记--第一周