Access k8s-api-server via curl

Posted on by Yuki Nakamura

I will explain how to access k8s-api-server via curl. Through this hands-on exercise, you will gain an understanding of authenticating with k8s-api-server using client certificates and keys. Additionally, by communicating with k8s-api-server via curl, you will become more familiar with its usage. ⎈

  1. Preparation
  2. Generate private key and certificate from kubeconfig
    1. Generate client private key
    2. Generate client certificate
  3. Check k8s-api-server’s endpoint by kubectl
  4. Send a request to k8s-api-server with curl
  5. Next Steps

Preparation

Please install the following tools

  • curl
  • yq
  • kubernetes
  • kubeconfig file (~/.kube/config)
  • kubectl

* I will use kubenetes and kubeconfig file that I created in the previous post. The kubeconfig file looks like this.

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: foo
    server: https://192.168.64.156:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: bar
    client-key-data: baz

Generate private key and certificate from kubeconfig

kubeconfig stores base64-encoded client private key and certificate in kubeconfig. So, we can get them by decoding values.

Generate client private key

Decode a base64-encoded key using base64 -d. Please replace “kubernetes-admin” with your user’s name.

cat ~/.kube/config | yq '.users[] | select(.name == "kubernetes-admin").user.client-key-data' | base64 -d > client.key

Generate client certificate

Decode a base64-encoded certificate using base64 -d. Please replace “kubernetes-admin” with your user’s name.

cat ~/.kube/config | yq '.users[] | select(.name == "kubernetes-admin").user.client-certificate-data' | base64 -d > client.crt

Check k8s-api-server’s endpoint by kubectl

You can check k8s-api-server’s endpoint by kubectl easily with -v=6 option. By following command, you can get endpoint for getting pods.

k get po -v=6 | grep GET

example:

k get po -v=6 | grep GET
...
I0605 23:11:11.171705 70703 round_trippers.go:553] GET https://192.168.64.156:6443/api/v1/namespaces/default/pods?limit=500 200 OK in 41 milliseconds
...

Send a request to k8s-api-server with curl

Let’s send a request to k8s-api-server that you checked with curl using client certificate and key.

curl <k8s-api-server’s endpoint> –cert client.crt –key client.key -k

example:

curl "https://192.168.64.156:6443/api/v1/namespaces/default/pods?limit=500" --cert client.crt --key client.key -k
{
  "kind": "PodList",
  "apiVersion": "v1",
...
}

Next Steps

Now, you can access k8s-api-server via curl. The following actions will help you understand it in more detail.

  • Try to get pods in other namespace and check its endpoint.
  • Try to access other endpoints such as listing Deployment/Service.
  • Read documentations such as Authenticating and The Kubernetes API

That’s it. Thank you for reading my post.

Unknown's avatar

Published by Yuki Nakamura