K8s - API Server

-

 

What is a kube API Server?

The API server is a component of the Kubernetes control plane that exposes the Kubernetes API.

The API server is the front end for the Kubernetes control plane.

kube-apiserver is designed to scale horizontally—that is, it scales by deploying more instances. 

You can run several instances of kube-apiserver and balance traffic between those instances.

root@masterk8s:/# kubectl describe pod -n kube-system kube-apiserver-masterk8s

Command:

      kube-apiserver

      --advertise-address=192.168.163.128

      --allow-privileged=true

      --authorization-mode=Node,RBAC

      --client-ca-file=/etc/kubernetes/pki/ca.crt

      --enable-admission-plugins=NodeRestriction

      --enable-bootstrap-token-auth=true

      --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt

      --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt

      --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key

      --etcd-servers=https://127.0.0.1:2379

      --insecure-port=0

      --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt

      --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key

      --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname

      --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt

      --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key

      --requestheader-allowed-names=front-proxy-client

      --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt

      --requestheader-extra-headers-prefix=X-Remote-Extra-

      --requestheader-group-headers=X-Remote-Group

      --requestheader-username-headers=X-Remote-User

      --secure-port=6443

      --service-account-key-file=/etc/kubernetes/pki/sa.pub

      --service-cluster-ip-range=10.96.0.0/12

      --tls-cert-file=/etc/kubernetes/pki/apiserver.crt

      --tls-private-key-file=/etc/kubernetes/pki/apiserver.key


This is the actual command runs on the port 6443.

The Kubernetes API server provides 3 API endpoints (healthz, livez and readyz) to indicate the current status of the API server.

A status code 200 indicates the API server is healthy/live/ready, depending on the called endpoint.

Test Kube API health:

root@masterk8s:/# curl -k https://localhost:6443/livez?verbose
[+]ping ok
[+]log ok
[+]etcd ok
[+]poststarthook/start-kube-apiserver-admission-initializer ok
[+]poststarthook/generic-apiserver-start-informers ok
[+]poststarthook/max-in-flight-filter ok
[+]poststarthook/start-apiextensions-informers ok
[+]poststarthook/start-apiextensions-controllers ok
[+]poststarthook/crd-informer-synced ok
[+]poststarthook/bootstrap-controller ok
[+]poststarthook/rbac/bootstrap-roles ok
[+]poststarthook/scheduling/bootstrap-system-priority-classes ok
[+]poststarthook/start-cluster-authentication-info-controller ok
[+]poststarthook/aggregator-reload-proxy-client-cert ok
[+]poststarthook/start-kube-aggregator-informers ok
[+]poststarthook/apiservice-registration-controller ok
[+]poststarthook/apiservice-status-available-controller ok
[+]poststarthook/kube-apiserver-autoregistration ok
[+]autoregister-completion ok
[+]poststarthook/apiservice-openapi-controller ok
healthz check passed
root@masterk8s:/#

root@masterk8s:/# kubectl get --raw='/readyz?verbose'
[+]ping ok
[+]log ok
[+]etcd ok
[+]informer-sync ok
[+]poststarthook/start-kube-apiserver-admission-initializer ok
[+]poststarthook/generic-apiserver-start-informers ok
[+]poststarthook/max-in-flight-filter ok
[+]poststarthook/start-apiextensions-informers ok
[+]poststarthook/start-apiextensions-controllers ok
[+]poststarthook/crd-informer-synced ok
[+]poststarthook/bootstrap-controller ok
[+]poststarthook/rbac/bootstrap-roles ok
[+]poststarthook/scheduling/bootstrap-system-priority-classes ok
[+]poststarthook/start-cluster-authentication-info-controller ok
[+]poststarthook/aggregator-reload-proxy-client-cert ok
[+]poststarthook/start-kube-aggregator-informers ok
[+]poststarthook/apiservice-registration-controller ok
[+]poststarthook/apiservice-status-available-controller ok
[+]poststarthook/kube-apiserver-autoregistration ok
[+]autoregister-completion ok
[+]poststarthook/apiservice-openapi-controller ok
[+]shutdown ok
healthz check passed
root@masterk8s:/#

All API accesses are handled by Kubernetes api server.

All accesses have to be authenticated by the API server for Kubernetes operations.

Kubernetes API server serve on 2 ports: one for testing, and the other for all other cases. By default, these ports are:

http://localhost:8080: intended for testing, no TLS, request bypasses authentication and authorization modules, handled by admission control modules

https://<ip>:6443: use TLS (and certificate), <ip> is the first non-localhost network interface, request are handled by authentication and authorization modules

The HTTP request moves to the authentication step when users access to the API server through the port 6443 and establishes a TLS connection.

Lets use curl command to test the kube api server.

I am going to store kube api IP and port as a variable.

root@masterk8s:~# kubectl config view -o jsonpath='{.clusters[0].cluster.server}'
https://192.168.163.128:6443
root@masterk8s:~#

root@masterk8s:~# KUBE_API=$(kubectl config view -o jsonpath='{.clusters[0].cluster.server}')

root@masterk8s:~# curl -k $KUBE_API/version
{
  "major": "1",
  "minor": "19",
  "gitVersion": "v1.19.16",
  "gitCommit": "e37e4ab4cc8dcda84f1344dda47a97bb1927d074",
  "gitTreeState": "clean",
  "buildDate": "2021-10-27T16:20:18Z",
  "goVersion": "go1.15.15",
  "compiler": "gc",
  "platform": "linux/amd64"
}root@masterk8s:~#

Note: I have used -k to make the connection as "--insecure". But in real world we use the TLS/SSL Certs.

Client cert used for Kube API can be fetched from 

root@masterk8s:~# kubectl describe pod -n kube-system kube-apiserver-masterk8s | grep -w "client-ca-file"
      --client-ca-file=/etc/kubernetes/pki/ca.crt
      --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
root@masterk8s:~#

root@masterk8s:~# curl --cacert /etc/kubernetes/pki/ca.crt $KUBE_API/version
{
  "major": "1",
  "minor": "19",
  "gitVersion": "v1.19.16",
  "gitCommit": "e37e4ab4cc8dcda84f1344dda47a97bb1927d074",
  "gitTreeState": "clean",
  "buildDate": "2021-10-27T16:20:18Z",
  "goVersion": "go1.15.15",
  "compiler": "gc",
  "platform": "linux/amd64"
}root@masterk8s:~#






Comments

Post a Comment

Popular posts from this blog

SRE/DevOps Syllabus

-
Image
  DEVOPS/SRE Principles. Git What is Git? Architecture of Git. Working principle of Git. Create and cloning a repo. Version control branching. Version control commit. Version control managing workflows. Git hooks. Git Reflog. Git Stash. Git Cherry Picking. Undoing changes in different states of Git. Git based terraform template management. AWS CI/CD SDLC Automation. Code Commit. Code Build. Code Deployment. Code Pipeline. Elastic Beankstalk. Code Artifact. CodeGuru. Terraform Terraform Basics. Terraform State. Working with Terraform. Terraform with AWS. Remote State. Terraform Provisioners. Terraform Import, Tainting and Debugging. Terraform Modules. Terraform Functions and Conditional Expressions. Automation using Python - AWS AWS lambda. Automating EC2 with Lambda. Automating S3 with Lambda. Automating VPC with Lambda. Cost optimization with Lambda. SNS,SQS and SES with Python. Managing and Automating AWS Security with Python. Kubernetes - CKAD Application Developer. Kubernetes A...
Read more

AWS Code Commit - CI/CD Series Part 1

-
Image
  This is a multi-part series to show how to implement a CI/CD pipeline in AWS. In this post, We will see how to use AWS Code Commit. AWS CodeCommit is a fully managed source control service that allows you to store and manage your code securely in the cloud.  It provides a private Git repository for your code and supports all Git commands and workflows. CodeCommit also integrates with other AWS services like AWS CodePipeline and AWS CodeBuild, allowing you to automate your entire software release process. This can help you streamline your development workflows and improve the overall efficiency of your team. I created a repo from AWS CodeCommit -> Create Repository. And I begin with cloning the repo locally. So that I can make changes and push it. To clone the repo click on "HTTPS" under Clone URL. I make changes to index.html file. Now push it to AWS CodeCommit. Let’s verify the changes in AWS Code commit. Changes are reflected in AWS CodeCommit. We are done with Part ...
Read more

Docker - Preventing IP overlapping

-
Image
  What is IP address overlapping? When the container IP address overlaps with another IP external, then the application running on the container is not accessible from outside due to the IP address overlapping.  NOTE: This IP address overlapping can happen on the bridge interface IP or docker container IP. Let's see how to address this IP overlapping issue on the bridge interface. I already have a running container.  root@demo:~# docker run -d --name web --network mynet1 nginx:alpine 268647e11011d513d2357ce1c81e0f48787038a83d01d028d31a5b29dbdb885b root@demo:~# docker container ls CONTAINER ID   IMAGE          COMMAND                  CREATED         STATUS         PORTS     NAMES 268647e11011   nginx:alpine   "/docker-entrypoint.…"   4 seconds ago   Up 3 seconds   80/tcp  ...
Read more