curl 访问k8s https 证书和token 几种方式

最新推荐文章于 2024-04-22 14:32:11 发布
最新推荐文章于 2024-04-22 14:32:11 发布
阅读量9.7k 收藏 7
点赞数 2
分类专栏: devops 文章标签: https 网络协议 http
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Michaelwubo/article/details/121970094
版权 

[root@localhost ~]# curl  https://172.16.10.87:6443/api/v1/namespaces
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

这是由于缺少 ca 证书,在集群 master 服务器通过下面的命令拿到 ca 证书

kubectl get secret \
    $(kubectl get secrets | grep default-token | awk '{print $1}') \
    -o jsonpath="{['data']['ca\.crt']}" | base64 --decode

 我这个证书,由于是rancher 部署的k8s所有证书是rancher生成的

[root@localhost ssl]# curl --cacert /etc/kubernetes/ssl/kube-ca.pem  --cert /etc/kubernetes/ssl/kube-apiserver.pem --key  /etc/kubernetes/ssl/kube-apiserver-key.pem   https://172.16.10.87:6443/api
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "172.16.10.87:6443"
    }
  ]
}[root@localhost ssl]# curl --cacert /etc/kubernetes/ssl/kube-ca.pem  --cert /etc/kubernetes/ssl/kube-apiserver.pem --key  /etc/kubernetes/ssl/kube-apiserver-key.pem   https://17216.10.87:6443/api/v1/namespaces
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "namespaces is forbidden: User \"kube-apiserver\" cannot list resource \"namespaces\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "namespaces"
  },
  "code": 403

 但是权限不够,需要自己生成token,sa,和集群admin绑定获取最高权限

这是由于缺少与 ServiceAccount 对应的 access token ,创建一个 ServiceAccount

kubectl create serviceaccount wubo-sa -n kube-system

将该账号加入到 cluster-admin 角色

kubectl create clusterrolebinding wubo-sa-binding --clusterrole=cluster-admin --serviceaccount=kube-system:wubo-sa -n kube-system

拿到该账号对应的 access token

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep wubo-sa  | awk '{print $1}')

TOKEN="上面获取的token"

curl 命令带上 access token 连接集群

curl --cacert ca.crt -H "Authorization: Bearer $TOKEN"  https://k8s-api:6443

连接成功

[root@localhost ~]# curl --cacert /etc/kubernetes/ssl/kube-ca.pem  -H "Authorization: Bearer $TOKEN"   https://172.16.10.87:6443/api/v1/namespaces
{
  "kind": "NamespaceList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/api/v1/namespaces",
    "resourceVersion": "3298896"
  },
  "items": [
    {
      "metadata": {
        "name": "cattle-system",
        "selfLink": "/api/v1/namespaces/cattle-system",
        "uid": "fff268f0-97d1-4e96-bf0f-99968866c25c",
        "resourceVersion": "1015",
        "creationTimestamp": "2021-12-01T05:37:59Z",
        "labels": {
          "field.cattle.io/projectId": "p-mr2hv"
        },
        "annotations": {
          "cattle.io/status": "{\"Conditions\":[{\"Type\":\"ResourceQuotaInit\",\"Status\":\"True\",\"Message\":\"\",\"LastUpdateTime\":\"2021-12-01T05:38:07Z\"},{\"Type\":\"InitialRolesPopulated\",\"Status\":\"True\",\"Message\":\"\",\"LastUpdateTime\":\"2021-12-01T05:38:12Z\"}]}",
          "field.cattle.io/projectId": "c-t5kwm:p-mr2hv",
          "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Namespace\",\"metadata\":{\"annotations\":{},\"name\":\"cattle-system\"}}\n",
          "lifecycle.cattle.io/create.namespace-auth": "true"
        },
        "finalizers": [
          "controller.cattle.io/namespace-auth"
        ]
      },
      "spec": {
        "finalizers": [
          "kubernetes"
        ]
      },
      "status": {
        "phase": "Active"
      }
    },
    {
      "metadata": {
        "name": "default",
        "selfLink": "/api/v1/namespaces/default",
        "uid": "5afcefbf-a3c0-4355-b836-56817021b10c",
        "resourceVersion": "1008",
        "creationTimestamp": "2021-12-01T05:37:10Z",
        "labels": {
          "field.cattle.io/projectId": "p-vqvrc"
        },
        "annotations": {
          "cattle.io/status": "{\"Conditions\":[{\"Type\":\"ResourceQuotaInit\",\"Status\":\"True\",\"Message\":\"\",\"LastUpdateTime\":\"2021-12-01T05:38:07Z\"},{\"Type\":\"InitialRolesPopulated\",\"Status\":\"True\",\"Message\":\"\",\"LastUpdateTime\":\"2021-12-01T05:38:12Z\"}]}",
          "field.cattle.io/projectId": "c-t5kwm:p-vqvrc",
          "lifecycle.cattle.io/create.namespace-auth": "true"
        },
        "finalizers": [
          "controller.cattle.io/namespace-auth"
        ]
      },
      "spec": {
        "finalizers": [
          "kubernetes"
        ]
      },
      "status": {

连接集群三要素:
1)control plane 地址(api server 地址)
2)集群 ca 证书
3)ServiceAccount token(访问 api server 的 access token)

===================================================

大多数K8S API资源类型是“objects”,代表群集上的概念的具体实例,如pod或namespace。少数API资源类型是virtual,通常表示操作而不是对象,例如权限检查。所有对象都将具有唯一的名称以允许幂等创建和检索,但如果virtual资源类型不可检索或不依赖于幂等,则virtual资源类型可能不具有唯一名称。

1.使用kubectl proxy访问

1.1.本地监听

启动kubectl proxy,不带任何参数只在本地监听,使用的是http协议,无需提供任何凭证就可以访问

[root@localhost ~]# kubectl proxy
Starting to serve on 127.0.0.1:8001

验证api访问

[root@localhost ~]# curl http://127.0.0.1:8001
{"type":"collection","links":{"self":"https://127.0.0.1:8001/"},"actions":{},"pagination":{"limit":1000,"total":4},"sort":{"order":"asc","reverse":"https://127.0.0.1:8001/?order=desc"},"resourceType":"apiRoot","data":[{"apiVersion":{"group":"meta.cattle.io","path":"/meta","version":"v1"},"baseType":"apiRoot","links":{"apiRoots":"https://127.0.0.1:8001/meta/apiroots","root":"https://127.0.0.1:8001/meta","schemas":"https://127.0.0.1:8001/meta/schemas","self":"https://127.0.0.1:8001/meta","subscribe":"https://127.0.0.1:8001/meta/subscribe"},"type":"apiRoot"},{"apiVersion":{"group":"management.cattle.io","path":"/v3","version":"v3"},"baseType":"apiRoot","links":{"authConfigs":"https://127.0.0.1:8001/v3/authconfigs","catalogs":"https://127.0.0.1:8001/v3/catalogs","cloudCredentials":"https://127.0.0.1:8001/v3/cloudcredentials","clusterAlertGroups":"https://127.0.0.1:8001/v3/clusteralertgroups","clusterAlertRules":"https://127.0.0.1:8001/v3/clusteralertrules","clusterAlerts":"https://127.0.0.1:8001/v3/clusteralerts","clusterCatalogs":"https://127.0.0.1:8001/v3/clustercatalogs","clusterLoggings":"https://127.0.0.1:8001/v3/clusterloggings","clusterMonitorGraphs":"https://127.0.0.1:8001/v3/clustermonitorgraphs","clusterRegistrationTokens":"https://127.0.0.1:8001/v3/clusterregistrationtokens","clusterRoleTemplateBindings":"https://127.0.0.1:8001/v3/clusterroletemplatebindings","clusterScans":"https://127.0.0.1:8001/v3/clusterscans","clusterTemplateRevisions":"https://127.0.0.1:8001/v3/clustertemplaterevisions","clusterTemplates":"https://127.0.0.1:8001/v3/clustertemplates","clusters":"https://127.0.0.1:8001/v3/clusters","composeConfigs":"https://127.0.0.1:8001/v3/composeconfigs","dynamicSchemas":"https://127.0.0.1:8001/v3/dynamicschemas","etcdBackups":"https://127.0.0.1:8001/v3/etcdbackups","features":"https://127.0.0.1:8001/v3/features","globalRoleBindings":"https://127.0.0.1:8001/v3/globalrolebindings","globalRoles":"https://127.0.0.1:8001/v3/globalroles","groupMembers":"https://127.0.0.1:8001/v3/groupmembers","groups":"https://127.0.0.1:8001/v3/groups","kontainerDrivers":"https://127.0.0.1:8001/v3/kontainerdrivers","ldapConfigs":"https://127.0.0.1:8001/v3/ldapconfigs","listenConfigs":"https://127.0.0.1:8001/v3/listenconfigs","managementSecrets":"https://127.0.0.1:8001/v3/managementsecrets","monitorMetrics":"https://127.0.0.1:8001/v3/monitormetrics","multiClusterAppRevisions":"https://127.0.0.1:8001/v3/multiclusterapprevisions","multiClusterApps":"https://127.0.0.1:8001/v3/multiclusterapps","nodeDrivers":"https://127.0.0.1:8001/v3/nodedrivers","nodePools":"https://127.0.0.1:8001/v3/nodepools","nodeTemplates":"https://127.0.0.1:8001/v3/nodetemplates","nodes":"https://127.0.0.1:8001/v3/nodes","notifiers":"https://127.0.0.1:8001/v3/notifiers","podSecurityPolicyTemplateProjectBindings":"https://127.0.0.1:8001/v3/podsecuritypolicytemplateprojectbindings","podSecurityPolicyTemplates":"https://127.0.0.1:8001/v3/podsecuritypolicytemplates","preferences":"https://127.0.0.1:8001/v3/preferences","principals":"https://127.0.0.1:8001/v3/principals","projectAlertGroups":"https://127.0.0.1:8001/v3/projectalertgroups","projectAl

但是访问无效,不知道什么原因

[root@localhost ~]# curl http://127.0.0.1:8001/api
404 page not found

1.2.网络监听

启动kubectl proxy,使用网卡IP,从其他机器访问, --accept-hosts='^*$' 表示接受所有源IP,否则会显示不被授权

[root@localhost ~]# kubectl proxy --address='172.16.10.87'  --accept-hosts='^*$' --port=9999   
Starting to serve on 172.16.10.87:9999

验证通1.1一样

2.直接访问api

2.1.获取集群名称和api地址

[root@localhost ~]# kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'
Cluster name	Server
jettech	https://172.16.10.87:8443/k8s/clusters/c-t5kwm
jettech-172.16.10.87	https://172.16.10.87:6443

[root@localhost ~]#  export CLUSTER_NAME="jettech"

[root@localhost ~]# APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")

[root@localhost ~]# echo $APISERVER
https://172.16.10.87:8443/k8s/clusters/c-t5kwm

2.2.使用serviceaccount来访问

创建serviceaccount并绑定集群角色cluster-admin

[root@localhost ~]# kubectl create serviceaccount  sa-wubo
serviceaccount/sa-wubo created
[root@localhost ~]# kubectl create clusterrolebinding   sa-wubo-cluster-admin --clusterrole='cluster-admin' --serviceaccount=default:sa-wubo
clusterrolebinding.rbac.authorization.k8s.io/sa-wubo-cluster-admin created

[root@localhost ~]# kubectl get sa | grep wubo
sa-wubo   1         24s

查看sa
[root@localhost ~]# kubectl describe sa sa-wubo
Name:                sa-wubo
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   sa-wubo-token-ggp2h
Tokens:              sa-wubo-token-ggp2h
Events:              <none

查看clusterrolebinding
[root@localhost ~]# kubectl get clusterrolebinding | grep sa-wubo-cluster-admin
sa-wubo-cluster-admin                                  44s
[root@localhost ~]# kubectl describe clusterrolebinding  sa-wubo-cluster-admin
Name:         sa-wubo-cluster-admin
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  sa-wubo  default

查看secrets  在创建sa的时候回自动创建sercets sa和setcrets都有namespaces这么一说,如
[root@localhost ~]# kubectl get secrets --all-namespaces | grep wubo
default           sa-wubo-token-ggp2h                              kubernetes.io/service-account-token   3      3m10s
kube-system       wubo-admin-token-2twrk                           kubernetes.io/service-account-token   3      22h


[root@localhost ~]# kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-db9qp   kubernetes.io/service-account-token   3      15d
sa-wubo-token-ggp2h   kubernetes.io/service-account-token   3      118s
[root@localhost ~]# kubectl get secrets | grep sa-wubo-token-ggp2h
sa-wubo-token-ggp2h   kubernetes.io/service-account-token   3      2m4s
[root@localhost ~]# kubectl describe secrets sa-wubo-token-ggp2h
Name:         sa-wubo-token-ggp2h
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: sa-wubo
              kubernetes.io/service-account.uid: a182ecb9-8ddf-42f0-b1c9-4a45c63066c2

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1017 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6Ikt0R3c2S1lTTUxKQUVNX3U0OWpzSS1iN2NYcnRXcE5aRWlCdjZYa2xuaWMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InNhLXd1Ym8tdG9rZW4tZ2dwMmgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoic2Etd3VibyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImExODJlY2I5LThkZGYtNDJmMC1iMWM5LTRhNDVjNjMwNjZjMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnNhLXd1Ym8ifQ.d-N3sRybudYaolQBtDeh4mS3k5BvTTYD5J4jqEVKqkRtLccg4KYA9vN_7zhqwbBE3IaY5oWlecwfz_G3a-f4g04SLum5mgGWq05U14lohIwzyGQiCrOPFjP9zWj6RqqNk9yS1_rjf9vCkV7nIIv1jKfWjLnoCaUvbpz5whCeOLgckKch87HYjfjrcqC0uWschhfKXJyLyJo3xUhIoOy0AgXmI0GKXEFRuir1A-fSbd-Kv5Ze8GTI1uIn1P4vS4chGBVthWQxIqT1tBm-PCxkr9LvlPj3XzaxU_qTKOEeZEjghjVUwW2weq9OwrcPP6ztgnLAHpy1bK_51gVEXSLs1w

获取serviceaccount sa-wubo的secret token

[root@localhost ~]# TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='sa-wubo')].data.token}"|base64 -d)
[root@localhost ~]# echo $TOKEN
eyJhbGciOiJSUzI1NiIsImtpZCI6Ikt0R3c2S1lTTUxKQUVNX3U0OWpzSS1iN2NYcnRXcE5aRWlCdjZYa2xuaWMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InNhLXd1Ym8tdG9rZW4tZ2dwMmgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoic2Etd3VibyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImExODJlY2I5LThkZGYtNDJmMC1iMWM5LTRhNDVjNjMwNjZjMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnNhLXd1Ym8ifQ.d-N3sRybudYaolQBtDeh4mS3k5BvTTYD5J4jqEVKqkRtLccg4KYA9vN_7zhqwbBE3IaY5oWlecwfz_G3a-f4g04SLum5mgGWq05U14lohIwzyGQiCrOPFjP9zWj6RqqNk9yS1_rjf9vCkV7nIIv1jKfWjLnoCaUvbpz5whCeOLgckKch87HYjfjrcqC0uWschhfKXJyLyJo3xUhIoOy0AgXmI0GKXEFRuir1A-fSbd-Kv5Ze8GTI1uIn1P4vS4chGBVthWQxIqT1tBm-PCxkr9LvlPj3XzaxU_qTKOEeZEjghjVUwW2weq9OwrcPP6ztgnLAHpy1bK_51gVEXSLs1w

使用token访问api

非rancher部署方式,应为这样获取的APISERVER是rancher信息不是k8s信息
[root@localhost ~]# curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET $APISERVER/api/v1/namespaces/test/pods?limit=1
[root@localhost ~]# curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET $APISERVER/api/v1/namespaces/default/pods?limit=1
[root@localhost ~]# curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET $APISERVER/api/v1/namespaces/kube-system/pods?limit=1

https:方式,ca根证书是我通过rancher2部署k8s生成的
[root@localhost ~]# curl --cacert /etc/kubernetes/ssl/kube-ca.pem  -H "Authorization: Bearer $TOKEN"   https://172.16.10.87:6443/api/v1/namespaces

[root@localhost ~]#curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/api/v1/namespaces/test/pods?limit=1

serviceaccount虽然是区分namespace的,但是不影响使用这个token访问所有namespace的资源

2.3.使用useraccount来访问

创建user wubo的证书


[root@localhost work]# openssl genrsa -out wubo.key 2048
CN就是username
[root@localhost work]#openssl req -new -key wubo.key -out wubo.csr -subj "/CN=wubo"
[root@localhost work]#cp /etc/kubernetes/ssl/{}kube-ca-key.pem,kube-ca.pem} .
[root@localhost work]#openssl x509 -req -in wubo.csr -out wubo.crt -sha1 -CA kube-ca.pem -CAkey kube-ca-key.pem  -CAcreateserial -days 3650

创建角色getpods,创建角色绑定user wubo和role getpods

[root@localhost work]# kubectl create role getpods --verb=get --verb=list --resource=pods
[root@localhost work]# kubectl create rolebinding wubo-getpods --role=getpods --user=wubo --namespace=default

验证访问是否正常

[root@localhost work]# curl --cert /etc/kubernetes/pki/wubo.crt   -X GET $APISERVER/api/v1/namespaces/default/pods?limit=1 --key /etc/kubernetes/pki/wubo.key  --insecure

验证用户wubo不具备访问namespace kube-system的权限

curl --cert /etc/kubernetes/pki/wubo.crt   -X GET $APISERVER/api/v1/namespaces/kube-system/pods?limit=1 --key /etc/kubernetes/pki/wubo.key  --insecure
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "pods is forbidden: User \"wubo\" cannot list resource \"pods\" in API group \"\" in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403
}

3.常用api资源

以下为常用资源的URL路径,将/apis/GROUP/VERSION/替换为/api/v1/,则表示基础API组

/apis/GROUP/VERSION/RESOURCETYPE
/apis/GROUP/VERSION/RESOURCETYPE/NAME
/apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE
/apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME
/apis/GROUP/VERSION/RESOURCETYPE/NAME/SUBRESOURCE
/apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE

查看扩展api里的资源deployments

curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/apis/extensions/v1beta1/namespaces/kube-system/deployments

查看基础api里的资源pods

curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/api/v1/namespaces/kube-system/pods/

3.1.使用watch持续监控资源的变化

[root@localhost work]# curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/api/v1/namespaces/test/pods
"resourceVersion": "3508026"
[root@localhost work]# curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/api/v1/namespaces/test/pods?watch=1&resourceVersion=2563046

3.2.查看前n个资源

[root@localhost work]# curl  --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/api/v1/namespaces/kube-system/pods?limit=1 | grep continue
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5648    0  5648    0     0  44394      0 --:--:-- --:--:-- --:--    "continue": "eyJ2IjoibWV0YS5rOHMuaW8vdjEiLCJydiI6MzUwODczMCwic3RhcnQiOiJjYWxpY28ta3ViZS1jb250cm9sbGVycy03ODQ2NzQ3NmIteHNtYm5cdTAwMDAifQ",
:-- 44472

使用continue token查看下n个资源

[root@localhost work]# curl  --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/api/v1/namespaces/kube-system/pods?limit=1&continue=eyJ2IjoibWV0YS5rOHMuaW8vdjEiLCJydiI6MzUwODczMCwic3RhcnQiOiJjYWxpY28ta3ViZS1jb250cm9sbGVycy03ODQ2NzQ3NmIteHNtYm5cdTAwMDAifQ
[3] 16137
[root@localhost work]# {
  "kind": "PodList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/api/v1/namespaces/kube-system/pods",
    "resourceVersion": "3508922",
    "continue": "eyJ2IjoibWV0YS5rOHMuaW8vdjEiLCJydiI6MzUwODkyMiwic3RhcnQiOiJjYWxpY28ta3ViZS1jb250cm9sbGVycy03ODQ2NzQ3NmIteHNtYm5cdTAwMDAifQ",
    "remainingItemCount": 8
  },
  "items": [
    {
      "metadata": {
        "name": "calico-kube-controllers-78467476b-xsmbn",
        "generateName": "calico-kube-controllers-78467476b-",
        "namespace": "kube-system",
        "selfLink": "/api/v1/namespaces/kube-system/pods/calico-kube-controllers-78467476b-xsmbn",
        "uid": "2ac52e44-6cd9-4676-9777-d05512c0ebf4",
        "resourceVersion": "12770",
        "creationTimestamp": "2021-12-01T05:37:40Z",
        "labels": {

4.资源的类型

资源分类:Workloads,Discovery & LB ,Config & Storage,Cluster,Metadata
资源对象:Resource ObjectMeta,ResourceSpec,ResourceStatus
资源操作:create,update(replace&patch),read(get&list&watch),delete,rollback,read/write scale,read/write status

5.Workloads的操作

以pod为例,介绍workloads apis,以下为pod的yaml文件

[root@localhost work]# cat nginx.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
    - name: client-container
      image: harbor.jettech.com/jettechtools/nginx:1.21.4

查看当前pods

[root@localhost work]# kubectl get pods
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          97s

5.1. 创建pod

POST /api/v1/namespaces/{namespace}/pods
查看当前pods

# kubectl -n test get pods
NAME       READY   STATUS             RESTARTS   AGE

使用api创建pod 

[root@localhost work]# kubectl create ns test
[root@localhost work]# curl --header "Authorization: Bearer $TOKEN" --insecure --request POST https://172.16.10.87:6443/api/v1/namespaces/test/pods -s -w "状态码是:%{http_code}\n" -o /dev/null -H 'Content-Type: application/yaml' --data 'apiVersion: v1
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
    - name: client-container
      image: harbor.jettech.com/jettechtools/nginx:1.21.4'

5.2.删除pod

DELETE /api/v1/namespaces/{namespace}/pods/{name}
查看当前pods

[root@localhost work]# kubectl get pods -n test --show-labels
NAME    READY   STATUS    RESTARTS   AGE     LABELS
nginx   1/1     Running   0          2m59s   <none>

删除pod nginx

[root@localhost work]# curl  --header "Authorization: Bearer $TOKEN"  --insecure  --request DELETE https://172.16.10.87:6443/api/v1/namespaces/test/pods/nginx -o /dev/null  -s -w "状态码是:%{http_code}\n"


状态码是:200
{"type":"MODIFIED","object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx","namespace":"test","selfLink":"/api/v1/namespaces/test/pods/nginx","uid":"cf4292bf-b0f8-43ce-a233-3d0c2147cfef","resourceVersion":"3512941","creationTimestamp":"2021-12-17T02:21:03Z","deletionTimestamp":"2021-12-17T02:23:04Z","deletionGracePeriodSeconds":30,"annotations":{"cni.projectcalico.org/podIP":"10.42.212.190/32","cni.projectcalico.org/podIPs":"10.42.212.190/32"}},"spec":{"volumes":[{"name":"default-token-kwnbh","secret":{"secretName":"default-token-kwnbh","defaultMode":420}}],"containers":[{"name":"client-container","image":"harbor.jettech.com/jettechtools/nginx:1.21.4","resources":{},"volumeMounts":[{"name":"default-token-kwnbh","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"172.16.10.15","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-12-17T02:21:03Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-12-17T02:21:05Z"},{"type":"ContainersReady","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-12-17T02:21:05Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-12-17T02:21:03Z"}],"hostIP":"172.16.10.15","podIP":"10.42.212.190","podIPs":[{"ip":"10.42.212.190"}],"startTime":"2021-12-17T02:21:03Z","containerStatuses":[{"name":"client-container","state":{"running":{"startedAt":"2021-12-17T02:21:04Z"}},"lastState":{},"ready":true,"restartCount":0,"image":"harbor.jettech.com/jettechtools/nginx:1.21.4","imageID":"docker-pullable://harbor.jettech.com/jettechtools/nginx@sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47","containerID":"docker://f793a24a6eeb83d528781b00cb9a0246fe0cc2944be9341621390004dad306fd","started":true}],"qosClass":"BestEffort"}}}
{"type":"MODIFIED","object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx","namespace":"test","selfLink":"/api/v1/namespaces/test/pods/nginx","uid":"cf4292bf-b0f8-43ce-a233-3d0c2147cfef","resourceVersion":"3512941","creationTimestamp":"2021-12-17T02:21:03Z","deletionTimestamp":"2021-12-17T02:23:04Z","deletionGracePeriodSeconds":30,"annotations":{"cni.projectcalico.org/podIP":"10.42.212.190/32","cni.projectcalico.org/podIPs":"10.42.212.190/32"}},"spec":{"volumes":[{"name":"default-token-kwnbh","secret":{"secretName":"default-token-kwnbh","defaultMode":420}}],"containers":[{"name":"client-container","image":"harbor.jettech.com/jettechtools/nginx:1.21.4","resources":{},"v

查看 

[root@localhost work]# kubectl get pods -n test
NAME    READY   STATUS        RESTARTS   AGE
nginx   0/1     Terminating   0          95s

状态码
200 Ok
202 Accepted

Michaelwubo
关注
专栏目录
一、二进制方式 安装部署K8S
爱吃西红柿的博客
01-07 1432
1、集群架构2、资源规划角色IP主机名组件etcdk8s-node-1k8s-node-1kubeletkube-proxydockeretcdk8s-node-2k8s-node-2kubeletkube-proxydockeretcd。
curl+个人证书访问https站点
云淡风轻
05-06 2万+
目前,大公司的OA管理系统(俗称内网),安全性要求较高,通常采用https的双向 认证模式。 首先,什么是https,简单的说就是在SSL协议之上实现的http协议(get、post等操作) 什么是双向认证模式?对于面向公众用户的https的网站,大部分属于单向认证模式,它不需要对客户端进行认证,不需要提供客户端的个人证书,例如https://www.google.com。而双向认证模式,为了...
利用opensslcurl库获取https服务端证书
03-14
利用opensslcurl库获取https证书
使用curl命令发送POST请求(带token
luckySnow的博客
07-21 2万+
curl -X POST -H 'Authorization:{{token}}' -H 'Content-Type: application/json' -d '{"name": "vipTest1","vpcId": "1546774307671072768","subnetId": "96e6148f-486b-41ce-8694-16f249002d96","fixedIp": "192.168.10.222"}' localhost:8080/vpc/v1/vips
通过curl访问k8s集群获取证书token方式
码农崛起
01-22 2564
RBAC(Role-Based Access Control,基于角色的访问控制):负责完成授权(Authorization)工作。RBAC(Role-Based Access Control,基于角色的访问控 制),允许通过Kubernetes API动态配置策略。• 资源操作方法:get,list,create,update,patch,watch,delete。创建k8s的用户,用户分为普通用户和serviceAccount用户。serviceAccount:内部集群资源直接访问的用户。
CURL使用SSL证书访问HTTPS
热门推荐
码农和金融的专栏
11-24 8万+
若服务端要求客户端认证,需要将pfx证书转换成pem格式 openssl pkcs12 -clcerts -nokeys -in cert.pfx -out client.pem    #客户端个人证书的公钥   openssl pkcs12 -nocerts -nodes -in cert.pfx -out key.pem #客户端个人证书的私钥 也可以转换为公钥与私钥合二为一
k8s配置curl
码农的专栏
04-01 309
一、在服务器目录:/root/jenkinsexcute/networkdockerimage。新建文件:networkutils.k8s.yml。新建一个Dockerfile文件打包镜像。
docker和k8s基础介绍
swimming_in_IT_的博客
04-24 4189
通常称为K8sK8s是将8个字母“ubernete”替换为“8”的缩写)是一个完备的分布式系统支撑平台。Kubernetes具有完备的集群管理能力,包括多层次的安全防护和准入机制/多租户应用支撑能力、透明的服务注册和服务发现机制、内建智能负载均衡器、强大的故障发现和自我修复功能、服务滚动升级和在线扩容能力、可扩展的资源自动调度机制,以及多粒度的资源配额管理能力。同时kubernetes提供了完善的管理工具,这些工具覆盖了包括开发、测试部署、运维监控在内的各个环节;
integrate k8s with keystone (by quqi99)
技术并艺术着
10-29 642
作者:张华 发表于:2020-09-21 版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明 Install k8s with keystone (http) juju add-model k8s stsstack/stsstack juju deploy kubernetes-core wget https://raw.githubusercontent.com/juju-solutions/kubernetes-docs/master/assets/keystone.
K8S】二进制部署之定义CA证书与ETCD
y1701的博客
11-01 367
K8S】二进制部署之定义CA证书与ETCD
Kubernetes(k8s)高可用简介与安装
MKC__jiaoq的博客
03-07 7619
一、简介 Kubernetes是Google 2014年创建管理的,是Google 10多年大规模容器管理技术Borg的开源版本。它是容器集群管理系统,是一个开源的,用于管理云平台中多个主机上的容器化的应用,Kubernetes的目标是让部署容器化的应用简单并且高效(powerful),Kubernetes提供了应用部署,规划,更新,维护的一种机制 Kubernetes一个核心的特点就是能够自主的管理容器来保证云平台中的容器按照用户的期望状态运行着(比如用户想让apache一直运行,用户不需要关心
CURL访问 https CA证书问题
最新发布
c2unix的专栏
04-22 812
(2)在(1)中使用 INFO 设置具体证书,使用相对路径"./lib/cacert.pem"依然报错,改用绝对路径"/home/cacert.pem"(记得把证书拷贝至对应路径)后 问题解决。// 具体的 CA 证书,和上一行效果一样,选用一个即可。
k8s】集群内 curl 访问 Connection refused。
lyfGeek的博客
12-08 1728
k8s】集群内 curl 访问 Connection refused。
Linux curl使用证书访问HTTPS站点
lovelessdream的博客
12-14 1万+
curl访问HTTPS站点时,如果没有CA证书,会提示访问缺少CA证书而失败,如下图: 以下步骤可以实现curl带CA证书访问对应的HTTPS站点。 1. 将CA证书转换为pem格式的CA证书 以chrome浏览器为例说明: 打开HTTPS站点,点击该站点的证书图标-->【证书信息】-->【详细信息】-->【复制到文...
K8S---通过curl访问api
qq_41768644的博客
01-07 680
K8S 通过curl访问api的方式
curl查看https 证书信息的方法
vistaup的博客
10-09 4220
curl查看https 证书信息的方法
k8s curl验证yaml
qa1986nibuhao的博客
07-05 1798
curl验证k8s dns curl.yamlapiVersion: v1 kind: Pod metadata: name: curl-util spec: containers: - name: curl-util image: radial/busyboxplus:curl command: - sh - -c - while true; ...
k8s curl调试网络
学习笔记
01-02 1095
k8s curl调试网络 kubectl run curl-lmjun --image=radial/busyboxplus:curl -n stage -i --tty --rm
curl post请求携带token
boldkan的博客
08-28 7563
curl -X POST "http://xxxxx?num=1" -H "token=xxxxxxxx"
curl命令大全包括携带账号密码token和header和证书
06-09
以下是curl命令的一些常见参数,包括携带账号密码token和header和证书: 1. -u, --user:携带用户名和密码进行认证,格式为“username:password”。 示例: ``` curl -u username:password https://example.com ``...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值