Use k8s We often visit the cluster during the process of api Interface , But usually k8s Of apiserver It's all used https authentication , When we want to visit directly api The interface needs to be authenticated , This is in tke The same is true in clusters , So when we need to code or use curl Ask to visit tke Clustered api What about interfaces ？ Let's talk about using client certificates or clusters token To visit tke Clustered api Interface .

1. Client certificate access tke colony api Interface

Since we want to use the client certificate to access api, So where does the certificate come from ？ Actually tke Clustered kubeconfig All of them are certified by certificates , Every user has their own kubeconfig, There are client certificates used to communicate with apiserver For authentication , So we can go straight from kubeconfig Extract the required client certificate from .

Enter into kubelet Of kubeconfig Under the table of contents

cd /etc/kubernetes

Execute the following commands in turn , Respectively from the kubeconfig Get in file cert、key and apiserver Information

cat  ./kubelet-kubeconfig |grep client-certificate-data | awk -F ' ' '{print $2}' |base64 -d > client-cert.pem

cat  ./kubelet-kubeconfig |grep client-key-data | awk -F ' ' '{print $2}' |base64 -d > client-key.pem

APISERVER=`cat  ./kubelet-kubeconfig |grep server | awk -F ' ' '{print $2}'`

And then execute cur Command access apiserver

curl --cert client-cert.pem --key client-key.pem -k $APISERVER/api/

Get all the namespace

curl --cert client-cert.pem --key client-key.pem -k $APISERVER/api/v1/namespaces

Here are not all examples , Access to other interfaces , Please refer to the official documents https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/ .

perform curl The following error messages will appear during command access

Because this is where curl The request is for an anonymous user , Anonymous users generally do not have sufficient permissions in the cluster , So we need to go through rbac Bind anonymous users clusterrole, Here we bind the administrator role of the cluster tke:admin, Then the visit will be ok

kubectl create clusterrolebinding cluster-system-anonymous --clusterrole=tke:admin --user=system:anonymous

2. token Access cluster api

Everybody knows tke The cluster is on rbac after , Each account number passes the certificate and apiserver authentication , No more token, But if we need to use token It's still available , Refer to the document for specific acquisition methods https://cloud.tencent.com/developer/article/1762567 , Get the cluster according to the document token after ,apiserver The address of can be according to the above APISERVER How to get ,token and apiserver The addresses have been obtained , Then you can visit api 了 . Be careful , for fear of token Leaked , below token Are all modified .

Get clusters api Interface

curl -k -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsIZXQubmFtZSI6InRrZS1hZG1pbi10b2tlbi1od3F3MiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ0a2UtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMTJhYzU0Yi02N2I1LTQymYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmYXVsdDp0a2UtYWRtaW4ifQ.cVvAALd2ARAFwm5eMmrIxu2mbMB8fcvKiDlKO05-oYwBiKxagBJnZN2TQsANRkGzdMUp0IaZrZXpvvt4R48Fe5qxIzNkF7tvi0ZOQ4cY75jS7ZcpIVqRhUHGcRh8DOemWGa940UAF_k5CWX1Xf4y_odAEM-rW5IIsLesWXfdoBkf5PHfnD_XKGHBTZ0Io0OKC_cRNDQrxCYCRglcXNojCksHFec1bQVmUQpeVlkH8iAtvvpUHknM9W5KpwCeYmMgre0fVmy8v1wzLOSFrKWIBTJ_VZRoc7qMKFVRpszzoDtjfehLcJ-uualdCaXe0utsB2w9Sk15jnZtEyCb3qveZQ" https://cls-xxxxxx.ccs.tencent-cloud.com

Get the cluster's namespace

curl -k -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImphQ0RWTFBlNTJ0aXNDSUNkTUJzdHBlbTBLSFVGTmd0UF9JWGMwOFNqM2MifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhYNvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2Uiy9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InRrZS1hZG1pbi10b2tlbi1od3F3MiIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJ0a2UtYWRtaW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiMTJhYzU0Yi02N2I1LTQyNjktOTc3MC0xMGE5MTIzNDhhZmYiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6ZGVmY2mbMB8fcvKiDlKO05-oYwBiKxagBJnZN2TQsANRkGzdMUp0IaZrZXpvvt4R48Fe5qxIzNkF7tvi0ZOQ4cY75jS7ZcpIVqRhUHGcRh8DOemWGa940UAF_k5CWX1Xf4y_odAEM-rW5IIsLesWXfdoBkf5PHfnD_XKGHBTZ0Io0OKC_cRNDQrxCYCRglcXNojCksHFec1bQVmUQpeVlkH8iAtvvpUHknM9W5KpwCeYmMgre0fVmy8v1wzLOSFrKWIBTJ_VZRoc7qMKFVRpszzoDtjfehLcJ-uualdCaXe0utsB2w9Sk15jnZtEyCb3qveZQ" https://cls-xxxx.ccs.tencent-cloud.com//api/v1/namespaces

Here are not all examples , Access to other interfaces , Please refer to the official documents https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.21/

Here we can also use postman To visit , Fill in token and apiserver The address of , Then make a request .