3.13 与k8s API交互
文章目录1、查询K8S API服务器地址2、访问K8S API服务器上一节中介绍了可以通过环境变量或者Downward API的方式传递元数据,该方法简洁易用,但时只可以向容器传递部分元数据,如果想获取更多的信息可以本节介绍的k8s API方式,可以与K8S API服务器进行访问来获取更多关于元数据的信息。我们创建查询各种k8s 资源,包括创建、查询和删除pod 、service、job等各种资源
·
上一节中介绍了可以通过 环境变量或者Downward API的方式传递元数据,该方法简洁易用,但时只可以向容器传递部分元数据,如果想获取更多的信息可以本节介绍的k8s API方式,可以与K8S API服务器进行访问来获取更多关于元数据的信息。我们创建查询各种k8s 资源,包括创建、查询和删除pod 、service、job等各种资源信息,都是通过与K8S API服务器进行交互执行的。
1、查询K8S API服务器地址
通过执行kubectl cluster-info命令可以获取K8S-API服务器地址。
[root@k8s-master01 ~]# kubectl cluster-info
Kubernetes master is running at https://192.168.137.100:6443
KubeDNS is running at https://192.168.137.100:6443/api/v1/namespaces/kube-
2、访问K8S API服务器
本节介绍如何在pod中通过SericeAccount与k8s API服务器通信,如果pod可以访问k8s API的信息,就可以获取集群中其它资源的信息。在Secret中介绍了ServiceAccount的作用,所有创建的pod如不特别指定用到的ServiceAccount,都会用到k8s 提供的默认的ServiceAccount。pod中默认挂载的/var/run/secrets/kubernetes.io/serviceaccount路径下的Sercret包含了集群的认证信息,ServiceAccout就是通过该认证信息访问K8S API服务器,服务器认证通过后会把集群的资源信息返回给pod中。
下面在通过默认的ServiceAccount方式访问k8s API服务器之前,首先要对默认的ServiceAccout授权,k8s默认采用的RBAC认证授权机制,后续章节会介绍,本案例中先通过下述命令授予默认ServiceAccout服务账户管理员权限:
kubectl create clusterrolebinding serviceaccounts-cluster-admin \
--clusterrole=cluster-admin \
--group=system:serviceaccounts
pod对于K8S API服务来说是访问的客户端,pod客户端访问K8S API服务器应该通过认证证书进行访问,如下命令指定pod中ServiceAccount的认证证书
export CURL_CA_BUNDLE=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
ServiceAccount要获取k8s API服务器的授权,还应设置认证的token,通过下述命令设置:
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
下面开始访问k8s API服务器之前,要先获得服务器地址,之前已经用kubectl cluster-info获取到了服务器的位置,服务器映射在pod中的虚拟的地址可以通过env命令获取,如下所示
[root@k8s-master01 ~]# kubectl exec nginxpod -it -- /bin/sh
# env
MYSERVICE_PORT_8080_TCP_ADDR=10.106.129.199
MYSERVICE_SERVICE_HOST=10.106.129.199
KUBERNETES_SERVICE_PORT=443
KUBERNETES_PORT=tcp://10.96.0.1:443
MYSERVICE_PORT_8080_TCP_PORT=8080
HOSTNAME=nginxpod
MYSERVICE_PORT_8080_TCP_PROTO=tcp
HOME=/root
MYSERVICE_SERVICE_PORT=8080
MYSERVICE_PORT=tcp://10.106.129.199:8080
PKG_RELEASE=1~buster
MYSERVICE_PORT_8080_TCP=tcp://10.106.129.199:8080
TERM=xterm
KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
NGINX_VERSION=1.19.0
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
KUBERNETES_PORT_443_TCP_PORT=443
NJS_VERSION=0.4.1
KUBERNETES_PORT_443_TCP_PROTO=tcp
KUBERNETES_SERVICE_PORT_HTTPS=443
KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
MYSERVICE_SERVICE_PORT_HTTP=8080
KUBERNETES_SERVICE_HOST=10.96.0.1
PWD=/
通过env命令可以发现k8s api服务器为https://10.96.0.1:443
首先通过下述命令获取k8s资源的组合版本信息
# curl -H "Authorization: Bearer $TOKEN" https://10.96.0.1:443
{
"paths": [
"/api",
"/api/v1",
"/apis",
"/apis/",
"/apis/admissionregistration.k8s.io",
"/apis/admissionregistration.k8s.io/v1beta1",
"/apis/apiextensions.k8s.io",
"/apis/apiextensions.k8s.io/v1beta1",
"/apis/apiregistration.k8s.io",
"/apis/apiregistration.k8s.io/v1",
"/apis/apiregistration.k8s.io/v1beta1",
"/apis/apps",
"/apis/apps/v1",
"/apis/apps/v1beta1",
"/apis/apps/v1beta2",
"/apis/authentication.k8s.io",
"/apis/authentication.k8s.io/v1",
"/apis/authentication.k8s.io/v1beta1",
"/apis/authorization.k8s.io",
"/apis/authorization.k8s.io/v1",
"/apis/authorization.k8s.io/v1beta1",
"/apis/autoscaling",
"/apis/autoscaling/v1",
"/apis/autoscaling/v2beta1",
"/apis/autoscaling/v2beta2",
"/apis/batch",
"/apis/batch/v1",
"/apis/batch/v1beta1",
"/apis/certificates.k8s.io",
"/apis/certificates.k8s.io/v1beta1",
"/apis/coordination.k8s.io",
"/apis/coordination.k8s.io/v1",
"/apis/coordination.k8s.io/v1beta1",
"/apis/events.k8s.io",
"/apis/events.k8s.io/v1beta1",
"/apis/extensions",
"/apis/extensions/v1beta1",
"/apis/networking.k8s.io",
"/apis/networking.k8s.io/v1",
"/apis/networking.k8s.io/v1beta1",
"/apis/node.k8s.io",
"/apis/node.k8s.io/v1beta1",
"/apis/policy",
"/apis/policy/v1beta1",
"/apis/rbac.authorization.k8s.io",
"/apis/rbac.authorization.k8s.io/v1",
"/apis/rbac.authorization.k8s.io/v1beta1",
"/apis/scheduling.k8s.io",
"/apis/scheduling.k8s.io/v1",
"/apis/scheduling.k8s.io/v1beta1",
"/apis/storage.k8s.io",
"/apis/storage.k8s.io/v1",
"/apis/storage.k8s.io/v1beta1",
"/healthz",
"/healthz/autoregister-completion",
"/healthz/etcd",
"/healthz/log",
"/healthz/ping",
"/healthz/poststarthook/apiservice-openapi-controller",
"/healthz/poststarthook/apiservice-registration-controller",
"/healthz/poststarthook/apiservice-status-available-controller",
"/healthz/poststarthook/bootstrap-controller",
"/healthz/poststarthook/ca-registration",
"/healthz/poststarthook/crd-informer-synced",
"/healthz/poststarthook/generic-apiserver-start-informers",
"/healthz/poststarthook/kube-apiserver-autoregistration",
"/healthz/poststarthook/rbac/bootstrap-roles",
"/healthz/poststarthook/scheduling/bootstrap-system-priority-classes",
"/healthz/poststarthook/start-apiextensions-controllers",
"/healthz/poststarthook/start-apiextensions-informers",
"/healthz/poststarthook/start-kube-aggregator-informers",
"/healthz/poststarthook/start-kube-apiserver-admission-initializer",
"/logs",
"/metrics",
"/openapi/v2",
"/version"
]
}#
可以获取Jobs的资源信息,在前面章节创建Job时apiVersion填的都是batch/v1版本,可以通过下述命令获取,可以发现job支持create、delete、update、list等增删改查操作
# curl -H "Authorization: Bearer $TOKEN" https://10.96.0.1:443/apis/batch/v1
{
"kind": "APIResourceList",
"apiVersion": "v1",
"groupVersion": "batch/v1",
"resources": [
{
"name": "jobs",
"singularName": "",
"namespaced": true,
"kind": "Job",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
],
"categories": [
"all"
],
"storageVersionHash": "mudhfqk/qZY="
},
{
"name": "jobs/status",
"singularName": "",
"namespaced": true,
"kind": "Job",
"verbs": [
"get",
"patch",
"update"
]
}
]
}#
可以获取default默认空间的jobs的所有信息,通过下述命令获取,发现只有一个Job,并且时Complete状态。
# curl -H "Authorization: Bearer $TOKEN" https://10.96.0.1:443/apis/batch/v1/namespaces/default/jobs
{
"kind": "JobList",
"apiVersion": "batch/v1",
"metadata": {
"selfLink": "/apis/batch/v1/namespaces/default/jobs",
"resourceVersion": "12165417"
},
"items": [
{
"metadata": {
"name": "myjob",
"namespace": "default",
"selfLink": "/apis/batch/v1/namespaces/default/jobs/myjob",
"uid": "df6da4d9-3f48-4d7a-b03f-dc85fa8f7794",
"resourceVersion": "12148288",
"creationTimestamp": "2020-10-20T15:47:20Z",
"labels": {
"controller-uid": "df6da4d9-3f48-4d7a-b03f-dc85fa8f7794",
"job-name": "myjob"
},
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"batch/v1\",\"kind\":\"Job\",\"metadata\":{\"annotations\":{},\"name\":\"myjob\",\"namespace\":\"default\"},\"spec\":{\"template\":{\"metadata\":{\"name\":\"mypod\"},\"spec\":{\"containers\":[{\"command\":[\"/bin/sh\",\"-c\",\"sleep 60\"],\"image\":\"busybox\",\"imagePullPolicy\":\"IfNotPresent\",\"name\":\"my-busybox\"}],\"restartPolicy\":\"OnFailure\"}}}}\n"
}
},
"spec": {
"parallelism": 1,
"completions": 1,
"backoffLimit": 6,
"selector": {
"matchLabels": {
"controller-uid": "df6da4d9-3f48-4d7a-b03f-dc85fa8f7794"
}
},
"template": {
"metadata": {
"name": "mypod",
"creationTimestamp": null,
"labels": {
"controller-uid": "df6da4d9-3f48-4d7a-b03f-dc85fa8f7794",
"job-name": "myjob"
}
},
"spec": {
"containers": [
{
"name": "my-busybox",
"image": "busybox",
"command": [
"/bin/sh",
"-c",
"sleep 60"
],
"resources": {
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"imagePullPolicy": "IfNotPresent"
}
],
"restartPolicy": "OnFailure",
"terminationGracePeriodSeconds": 30,
"dnsPolicy": "ClusterFirst",
"securityContext": {
},
"schedulerName": "default-scheduler"
}
}
},
"status": {
"conditions": [
{
"type": "Complete",
"status": "True",
"lastProbeTime": "2020-10-20T15:48:21Z",
"lastTransitionTime": "2020-10-20T15:48:21Z"
}
],
"startTime": "2020-10-20T15:47:20Z",
"completionTime": "2020-10-20T15:48:21Z",
"succeeded": 1
}
}
]
}#
如果有多个job,还可以只获取指定的job信息,通过下述命令获取myjob的资源信息
# curl -H "Authorization: Bearer $TOKEN" https://10.96.0.1:443/apis/batch/v1/namespaces/default/jobs/myjob
{
"kind": "Job",
"apiVersion": "batch/v1",
"metadata": {
"name": "myjob",
"namespace": "default",
"selfLink": "/apis/batch/v1/namespaces/default/jobs/myjob",
"uid": "df6da4d9-3f48-4d7a-b03f-dc85fa8f7794",
"resourceVersion": "12148288",
"creationTimestamp": "2020-10-20T15:47:20Z",
"labels": {
"controller-uid": "df6da4d9-3f48-4d7a-b03f-dc85fa8f7794",
"job-name": "myjob"
},
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"batch/v1\",\"kind\":\"Job\",\"metadata\":{\"annotations\":{},\"name\":\"myjob\",\"namespace\":\"default\"},\"spec\":{\"template\":{\"metadata\":{\"name\":\"mypod\"},\"spec\":{\"containers\":[{\"command\":[\"/bin/sh\",\"-c\",\"sleep 60\"],\"image\":\"busybox\",\"imagePullPolicy\":\"IfNotPresent\",\"name\":\"my-busybox\"}],\"restartPolicy\":\"OnFailure\"}}}}\n"
}
},
"spec": {
"parallelism": 1,
"completions": 1,
"backoffLimit": 6,
"selector": {
"matchLabels": {
"controller-uid": "df6da4d9-3f48-4d7a-b03f-dc85fa8f7794"
}
},
"template": {
"metadata": {
"name": "mypod",
"creationTimestamp": null,
"labels": {
"controller-uid": "df6da4d9-3f48-4d7a-b03f-dc85fa8f7794",
"job-name": "myjob"
}
},
"spec": {
"containers": [
{
"name": "my-busybox",
"image": "busybox",
"command": [
"/bin/sh",
"-c",
"sleep 60"
],
"resources": {
},
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"imagePullPolicy": "IfNotPresent"
}
],
"restartPolicy": "OnFailure",
"terminationGracePeriodSeconds": 30,
"dnsPolicy": "ClusterFirst",
"securityContext": {
},
"schedulerName": "default-scheduler"
}
}
},
"status": {
"conditions": [
{
"type": "Complete",
"status": "True",
"lastProbeTime": "2020-10-20T15:48:21Z",
"lastTransitionTime": "2020-10-20T15:48:21Z"
}
],
"startTime": "2020-10-20T15:47:20Z",
"completionTime": "2020-10-20T15:48:21Z",
"succeeded": 1
}
}#
其他资源对象的信息依然可以通过上述方式获取,通过上述ServiceAccount方式,pod就内部就可以访问整个集群中的所有资源对象信息了,并可以对资源对象进行增删改查等操作。
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献11条内容
所有评论(0)