API是什么?
API(Application Programming Interface,应用程序接口): 是一些预先定义的接口(如函数、HTTP接口),或指软件系统不同组成部分衔接的约定。 用来提供应用程序与开发人员基于某软件或硬件得以访问的一组例程,而又无需访问源码,或理解内部工作机制的细节。
K8s API
K8s也提供API接口,提供这个接口的是管理节点的apiserver组件,apiserver服务负责提供HTTP API,以便用户、其他组件相互通信。
有两种方式可以操作K8s中的资源:
K8s认证方式
K8s支持三种客户端身份认证:
- HTTPS 证书认证(kubeconfig):基于CA证书签名的数字证书认证
import os
from kubernetes import client, config
config.load_kube_config(file_path) # 指定kubeconfig配置文件
apps_api = client.AppsV1Api() # 资源接口类实例化
for dp in apps_api.list_deployment_for_all_namespaces().items:
print(dp)
- HTTP Token认证(ServiceAccount):通过一个Token来识别用户
from kubernetes import client, config
configuration = client.Configuration()
configuration.host = "https://192.168.31.61:6443" # APISERVER地址
configuration.ssl_ca_cert="ca.crt" # CA证书
configuration.verify_ssl = True # 启用证书验证
configuration.api_key = {"authorization": "Bearer " + token} # 指定Token字符串
client.Configuration.set_default(configuration)
apps_api = client.AppsV1Api()
获取Token字符串:创建service account并绑定默认cluster-admin管理员集群角色:
# 创建用户
$ kubectl create serviceaccount dashboard-admin -n kube-system
# 用户授权
$ kubectl create clusterrolebinding dashboard-admin --clusterrole=cluster-admin --serviceaccount=kube-system:dashboard-admin
# 获取用户Token
$ kubectl describe secrets -n kube-system $(kubectl -n kube-system get secret | awk '/dashboard-admin/{print $1}')
其他常用资源接口类实例化:
core_api = client.CoreV1Api() # namespace,pod,service,pv,pvc
apps_api = client.AppsV1Api() # deployment
networking_api = client.NetworkingV1beta1Api() # ingress
storage_api = client.StorageV1Api() # storage_class
- HTTP Base认证:用户名+密码的方式认证
示例
Python客户端库
Deployment操作:
# 查询
for dp in apps_api.list_deployment_for_all_namespaces().items:
print(dp.metadata.name)
# 创建
namespace = "default"
name = "api-test"
replicas = 3
labels = {'a':'1', 'b':'2'} # 不区分数据类型,都要加引号
image = "nginx"
body = client.V1Deployment(
api_version="apps/v1",
kind="Deployment",
metadata=client.V1ObjectMeta(name=name),
spec=client.V1DeploymentSpec(
replicas=replicas,
selector={'matchLabels': labels},
template=client.V1PodTemplateSpec(
metadata=client.V1ObjectMeta(labels=labels),
spec=client.V1PodSpec(
containers=[client.V1Container(
name="web",
image=image
)]
)
),
)
)
try:
apps_api.create_namespaced_deployment(namespace=namespace, body=body)
except Exception as e:
status = getattr(e, "status")
if status == 400:
print(e)
print("格式错误")
elif status == 403:
print("没权限")
# 删除
namespace = "default"
name = "api-test"
apps_api.delete_namespaced_deployment(namespace=namespace, name=name)
Service操作:
# 查询
for svc in core_api.list_namespaced_service(namespace="default").items:
print(svc.metadata.name)
# 创建
namespace = "default"
name = "api-test"
selector = {'a':'1', 'b':'2'} # 不区分数据类型,都要加引号
port = 80
target_port = 80
type = "NodePort"
body = client.V1Service(
api_version="v1",
kind="Service",
metadata=client.V1ObjectMeta(
name=name
),
spec=client.V1ServiceSpec(
selector=selector,
ports=[client.V1ServicePort(
port=port,
target_port=target_port
)],
type=type
)
)
core_api.create_namespaced_service(namespace=namespace, body=body)
# 删除
core_api.delete_namespaced_service(namespace=namespace, name=name)
HTTP API
token="eyJhbGciOiJSUzI1NiIsI..."
curl --cacert /etc/kubernetes/pki/ca.crt -H "Authorization: Bearer $token" https://192.168.31.61:6443/api/v1/namespaces/default/pods
curl https://192.168.31.61:6443/api/v1/nodes \
--cacert /etc/kubernetes/pki/ca.crt \
--cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
--key /etc/kubernetes/pki/apiserver-kubelet-client.key