利用kubeconfig文件生成证书,用curl命令访问Kubernetes API server

进击云原生
3,560 阅读3分钟

kubectl 通过访问 Kubernetes API 来执行命令。我们也可以通过对应的TLS key, 使用curl 或是 golang client做同样的事。

API 请求必须使用 JSON 格式来发送。 kubectl 的作用是将 .yaml 转换为 JSON 格式进行 API 请求。

配置 TLS 连接

1、我们从查看 kubectl 的配置文件开始,需要:三个证书和 API server 的地址:

[root@master work]# cat /root/.kube/config 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpN21jRHpST1dSaXAKMUU3NkYwOFIvdFV6L0kzWE5XcmU4ZEpsNjlUVnhieGdsZHJhQ0V4UC93VVBaTCtJK3NOMGRBMWFtMHRLVzJJKwpVZ21ISi9aU2dIbjUvUTFNZlpCakh0VUFqTDV2VmdSSzRZV05wVnpqK1JCd0YwNWduTUF4TTVCcWRmcEZ2aGI1CkJCRThIUk9xanJIZi82QTdKN2JwTTArMXlBQmZXMGpjcERZcTlsVnRxczU3ZTl4dVdVb2Y1WENPNyszZG5KQXgKa0dxWHNxN1Z1UmsyaUM4TWZBMk9mT3M5RmdNeFpOYk1UcHZZajZ4N3JjM21NTWh5VVQwdktOaTVXanR1UG53eAptd01yeEJqRjhqOUkybVZNZUJzQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJTlc5Y0Ewc0tubm16UmVXTTFMWVhZRWRGWjEKNjIwcUVVeWs0VHV2MmxvZzlWcEtLTzhKOG5iOXdjRVcrWFB2NWYyYmtNbUtsTmxaYzJFOEIzOWloU2NiZzBmQgp4QmdpejAwYmxxMXRNNjBCTmc3d2UwM3ZnOFRlZ1hvZGRkTzd3djB6ZXo3U0tGYmg0d2VCRnN4TFNaWGtwL1VQCkNkc2s4ZllKSG1ZbVhlZ1kvTS9vWTl2OHdlVEgzRXpuWEgxY1RxaytkOVdlUWF3aHVYV3UrVC8zL0Q3dmRQYksKeUNtY3BrdmlCZUlHQXVwR0pDN0JTVzFUb05ra3h2bXRsQVZnYlVmdlh3U0srVDVHZGd0Z2lETGUzSkdHbTM1egpLVHBqWlBWL0lxYzZra1BZNFF1R3FqcFQvelMzaTNrdWI0THlBU1FjZHVNc1hUdG8zTVdmdkZxUWRGST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://172.21.0.15:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJR1VLN08xdUFIREF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T1RFeU1ETXdOekEzTXpSYUZ3MHlNREV5TURJd056QTNNemhhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWZoNUl4bndrMHRrdXdabUdnMVU2ckJ4VDgxU0RYbFgvd1kKSGEzU1BWUk9HaElURXFYS08wT09Ia3BkbEpDeGpJUm50Y005UHlybnBXK0NPVlNwb1JQSUpoLzdLWHZKTytDeApDaGk0eXlxc2pxbzE5WHlSUUNoZ2hpNnJHTnFETlVhTVd1STBOM1VUeEh2L3ozQkg2QWdIOVNvL2RKRmZXQnlkCmJzQXUrd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHTHdDVDloOGtGdHlwazhvNFM4R2pSb0xkSzZLZmhiTXhBZgowVHp3ZlBjVTlaNktyTTZIMmRtZHFGTnk2SHlrbkxWMjd2VjNtbDJ2VXVCaHpuWTJUeFF2YmFNN2drNCtVaERLCnUyY1FjQS9SaEkrYk13T0swZkFYR1RCdmxzZUJuNU1oYzNRMEthTVZURmpGbVIyRFBHaEVZLzN4L3NRbUZHRDIKN0dXUnhEcEZBSWhzUmxjR3RhR2pKdExZTEt0VU1OdlYyVVUyeThXa3NmZ1VJWVpIQXhkajM0UDV1MDQ2eE1lZQpZVlZvQXdsb0QrcjBoT0VKTEtaMi9GRjFOcm51U2xDYVoyYTVFdWFHbzM3TjBBcXVaRGMyS3hYd0N5aUc0K0ppClg2NkNqZjlObFk3ZkNQV1gzY3R0UXg2UUY1bGlTZ2NzYmVpUW9sR2ZwSXRQZ2JtY1Y2WT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeFM4LzlBVHZlOGxubU5saTNOTWRYN3dUSDBTRmdBQSsvMnZJNVZTMzFKbEVxY3JpCkF0Y1ZZekh2QVpqNURjaE16Z214NWxvMk5kRElNYytqVW12dFFUWHl1em8vOU1HdUp4dEZqTzZVcUZ6YWxUeGkKQkV5Z2ZDU3VISzlXQ1kyNmNJQm1jUjZDaEtoMWl0MHFZblFHbW9seklRV1dhaGYwcWQ4Yk9wcUJzMnZLcWVmaAo1SXhud2swdGt1d1ptR2cxVTZyQnhUODFTRFhsWC93tMXN3RkJBZGZoYnltQ1dmdXkyZG5HY2pac0xJTDFZeGdJcwpKTCtHUU5HU2FNMEQ3bVJYUGdKYnhBblpLZ2V5STFjU1VhTStER0krc3MzcXIvWGU3aDk3YTd1dUdUaWVYcllECnF0d29IK2pCc0J1ZFEyRS80MjB1a3RzUGhqZWZLRWVkbVFaR2JtNC9JWVp3U0xoNWdjNUpBNHNDZ1lFQTRHWUcKUGlNTnVmRjVpZHAvZWNZd25mZmIvR2dmNEVkWHF4cFJTQzZIWjE2OFNGK0JyclFKZWN2RDIva3RWUG52L2JHZgp2N3RWbXduNDhKYlRlYjJCczdIODV6VlAyR0RhYkJPeTBQbGRoSjNpc1ozY1p3L21rWG1QQkNjNEJJOHFKSUl1CmxGM1EyVDJUWThNeXVXM1NEdmFCYWpwaUNuazZOa3pydTFwME1GRUNnWUVBcUhTRm9ZTm5jUjBxVXNMS1VYUkMKRFIzTHQ4djlTT2JkckR5dFFyTS9iaGRkMU8yV0xlbHdqekJSWS9iTWNlaWMrZ2R3QVlLWW40eFVjSklFeDB3cgo3ckNWQlljSXRyTlcvTi9kU21xTzdSVkZnYU9SalJFMlc5dXp2SGw3bWRxRUFQSXhlcWpIU0xmOHZ5Q2w4ZTczClNLR1hXcGo2YzZ1T0tCYmsvdHl3ZHBNQ2dZQkdEOVMzSmQ2dFJiVzYwdHVtTzdrR09WTVlGYktPSmZnN1ZmWTIKNFVBcGlDeWxOQnliWFY3d0JpemF5NHZaMGtlYUlCRk9uY0QyclVCcWJjME5YNXZWYlNjWFVVL2lzU3JCUDgwKwo3ZnpDNFVEY1QvdDJ1a0kwL1kwbnNNOE9yVnh0RmJCUlpwRkVvck1ZSE9RRGZVUnVvNHg0akUzOEV5bVh0cUNMCldJeWFZUUtCZ0Izd3lhZXArWEU2ZlFiR2l6bzV2T0lhMXZkdzhSRFZLbHVMYUg0L0xLRjg4OVEySkt4a014WjEKckxjNVNHN295VVlhZmZZK2J3aGVYMDRpQldPaVFVRnhHZmFkQll3eWZjK3BGRUNGVW1YdFNuZGMzQmNBVCs2Lwp3dnVJNHdDTTgrYysrem53YURXZ3dUeUxTQllaVzFwSkRyTGRHcDROUENlNGNPNjZLVnVXCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

2、我们将会把证书设为环境变量。在设置时候请检查每一个参数。我们从 client-certificate-data 开始。

export clientcert=$(grep client-cert ~/.kube/config |cut -d" " -f 6)
echo $clientcert

3、使用类似的命令将 client-key-data 保存为环境变量

export clientkey=$(grep client-key-data ~/.kube/config |cut -d" " -f 6)
echo $clientkey

4、然后是 certificate-authority-data

export certauth=$(grep certificate-authority-data ~/.kube/config |cut -d" " -f 6)
echo $certauth

5、加密这些变量,供 curl 使用:

[root@master k8s-cert]# echo $clientcert | base64 -d > ./client.pem
[root@master k8s-cert]# echo $clientkey | base64 -d > ./client-key.pem
[root@master k8s-cert]# echo $certauth | base64 -d > ./ca.pem

6、从配置文件中读取 server 地址:

kubectl config view |grep server
server: https://172.21.0.15:6443

7、使用 curl 和刚刚加密的密钥文件来访问 API server:

curl --cert ./client.pem --key ./client-key.pem --cacert ./ca.pem https://172.21.0.15:6443/api/v1/pods

作者简洁

作者:小碗汤,一位热爱、认真写作的小伙,目前维护原创公众号:『我的小碗汤』,专注于写go语言、docker、kubernetes、java等开发、运维知识等提升硬实力的文章,期待你的关注。转载说明:务必注明来源(注明:来源于公众号:我的小碗汤,作者:小碗汤)

avatar
文章
阅读
粉丝
相关推荐
生成kubeconfig并通过kubectl连接Kubernetes集群
3.6k阅读
 · 
0点赞
学习一下如何为一个集群生成kubeconfig
17k阅读
 · 
2点赞
在CentOS上使用kubeadm部署Kubernetes集群
3.6k阅读
 · 
0点赞
kube-apiserver源码剖析与开发(二):KubeServer初始化之GenericConfig创建(一)
1.0k阅读
 · 
2点赞
从尤雨溪这两天微博募捐,思考开源如何赚大钱
180k阅读
 · 
1.1k点赞
Kubeconfig 文件解释与实际示例
1.6k阅读
 · 
3点赞
放心,前端死不了
149k阅读
 · 
1.4k点赞
千里之行,始于发心
203k阅读
 · 
77点赞
面试官问我按钮级别权限怎么控制,我说v-if,面试官说再见
255k阅读
 · 
2.7k点赞
ChatGPT API Key申请使用及充值教程【典藏】
118k阅读
 · 
93点赞

友情链接: