From 7e323ad80026a7215598d1f518a62170fe16a2ab Mon Sep 17 00:00:00 2001 From: windsonsea Date: Tue, 7 Nov 2023 15:09:00 +0800 Subject: [PATCH] Clean up access-application-cluster/access-cluster --- .../access-cluster.md | 124 ++++++++++-------- 1 file changed, 66 insertions(+), 58 deletions(-) diff --git a/content/en/docs/tasks/access-application-cluster/access-cluster.md b/content/en/docs/tasks/access-application-cluster/access-cluster.md index 87c3fdcd34..09122dbc65 100644 --- a/content/en/docs/tasks/access-application-cluster/access-cluster.md +++ b/content/en/docs/tasks/access-application-cluster/access-cluster.md @@ -16,7 +16,7 @@ When accessing the Kubernetes API for the first time, we suggest using the Kubernetes CLI, `kubectl`. To access a cluster, you need to know the location of the cluster and have credentials -to access it. Typically, this is automatically set-up when you work through +to access it. Typically, this is automatically set-up when you work through a [Getting started guide](/docs/setup/), or someone else set up the cluster and provided you with credentials and a location. @@ -36,20 +36,20 @@ Kubectl handles locating and authenticating to the apiserver. If you want to directly access the REST API with an http client like curl or wget, or a browser, there are several ways to locate and authenticate: - - Run kubectl in proxy mode. - - Recommended approach. - - Uses stored apiserver location. - - Verifies identity of apiserver using self-signed cert. No MITM possible. - - Authenticates to apiserver. - - In future, may do intelligent client-side load-balancing and failover. - - Provide the location and credentials directly to the http client. - - Alternate approach. - - Works with some types of client code that are confused by using a proxy. - - Need to import a root cert into your browser to protect against MITM. +- Run kubectl in proxy mode. + - Recommended approach. + - Uses stored apiserver location. + - Verifies identity of apiserver using self-signed cert. No MITM possible. + - Authenticates to apiserver. + - In future, may do intelligent client-side load-balancing and failover. +- Provide the location and credentials directly to the http client. + - Alternate approach. + - Works with some types of client code that are confused by using a proxy. + - Need to import a root cert into your browser to protect against MITM. ### Using kubectl proxy -The following command runs kubectl in a mode where it acts as a reverse proxy. It handles +The following command runs kubectl in a mode where it acts as a reverse proxy. It handles locating the apiserver and authenticating. Run it like this: @@ -83,7 +83,6 @@ The output is similar to this: } ``` - ### Without kubectl proxy Use `kubectl apply` and `kubectl describe secret...` to create a token for the default service account with grep/cut: @@ -163,16 +162,16 @@ The output is similar to this: } ``` -The above examples use the `--insecure` flag. This leaves it subject to MITM -attacks. When kubectl accesses the cluster it uses a stored root certificate -and client certificates to access the server. (These are installed in the -`~/.kube` directory). Since cluster certificates are typically self-signed, it +The above examples use the `--insecure` flag. This leaves it subject to MITM +attacks. When kubectl accesses the cluster it uses a stored root certificate +and client certificates to access the server. (These are installed in the +`~/.kube` directory). Since cluster certificates are typically self-signed, it may take special configuration to get your http client to use root certificate. On some clusters, the apiserver does not require authentication; it may serve -on localhost, or be protected by a firewall. There is not a standard -for this. [Controlling Access to the API](/docs/concepts/security/controlling-access) +on localhost, or be protected by a firewall. There is not a standard +for this. [Controlling Access to the API](/docs/concepts/security/controlling-access) describes how a cluster admin can configure this. ## Programmatic access to the API @@ -182,20 +181,30 @@ client libraries. ### Go client -* To get the library, run the following command: `go get k8s.io/client-go@kubernetes-`, see [INSTALL.md](https://github.com/kubernetes/client-go/blob/master/INSTALL.md#for-the-casual-user) for detailed installation instructions. See [https://github.com/kubernetes/client-go](https://github.com/kubernetes/client-go#compatibility-matrix) to see which versions are supported. -* Write an application atop of the client-go clients. Note that client-go defines its own API objects, so if needed, please import API definitions from client-go rather than from the main repository, e.g., `import "k8s.io/client-go/kubernetes"` is correct. +* To get the library, run the following command: `go get k8s.io/client-go@kubernetes-`, + see [INSTALL.md](https://github.com/kubernetes/client-go/blob/master/INSTALL.md#for-the-casual-user) + for detailed installation instructions. See + [https://github.com/kubernetes/client-go](https://github.com/kubernetes/client-go#compatibility-matrix) + to see which versions are supported. +* Write an application atop of the client-go clients. Note that client-go defines its own API objects, + so if needed, please import API definitions from client-go rather than from the main repository, + e.g., `import "k8s.io/client-go/kubernetes"` is correct. The Go client can use the same [kubeconfig file](/docs/concepts/configuration/organize-cluster-access-kubeconfig/) -as the kubectl CLI does to locate and authenticate to the apiserver. See this [example](https://git.k8s.io/client-go/examples/out-of-cluster-client-configuration/main.go). +as the kubectl CLI does to locate and authenticate to the apiserver. See this +[example](https://git.k8s.io/client-go/examples/out-of-cluster-client-configuration/main.go). If the application is deployed as a Pod in the cluster, please refer to the [next section](#accessing-the-api-from-a-pod). ### Python client -To use [Python client](https://github.com/kubernetes-client/python), run the following command: `pip install kubernetes`. See [Python Client Library page](https://github.com/kubernetes-client/python) for more installation options. +To use [Python client](https://github.com/kubernetes-client/python), run the following command: +`pip install kubernetes`. See [Python Client Library page](https://github.com/kubernetes-client/python) +for more installation options. The Python client can use the same [kubeconfig file](/docs/concepts/configuration/organize-cluster-access-kubeconfig/) -as the kubectl CLI does to locate and authenticate to the apiserver. See this [example](https://github.com/kubernetes-client/python/tree/master/examples). +as the kubectl CLI does to locate and authenticate to the apiserver. See this +[example](https://github.com/kubernetes-client/python/tree/master/examples). ### Other languages @@ -218,52 +227,51 @@ For information about connecting to other services running on a Kubernetes clust ## Requesting redirects -The redirect capabilities have been deprecated and removed. Please use a proxy (see below) instead. +The redirect capabilities have been deprecated and removed. Please use a proxy (see below) instead. -## So Many Proxies +## So many proxies There are several different proxies you may encounter when using Kubernetes: -1. The [kubectl proxy](#directly-accessing-the-rest-api): +1. The [kubectl proxy](#directly-accessing-the-rest-api): - - runs on a user's desktop or in a pod - - proxies from a localhost address to the Kubernetes apiserver - - client to proxy uses HTTP - - proxy to apiserver uses HTTPS - - locates apiserver - - adds authentication headers + - runs on a user's desktop or in a pod + - proxies from a localhost address to the Kubernetes apiserver + - client to proxy uses HTTP + - proxy to apiserver uses HTTPS + - locates apiserver + - adds authentication headers -1. The [apiserver proxy](/docs/tasks/access-application-cluster/access-cluster-services/#discovering-builtin-services): +1. The [apiserver proxy](/docs/tasks/access-application-cluster/access-cluster-services/#discovering-builtin-services): - - is a bastion built into the apiserver - - connects a user outside of the cluster to cluster IPs which otherwise might not be reachable - - runs in the apiserver processes - - client to proxy uses HTTPS (or http if apiserver so configured) - - proxy to target may use HTTP or HTTPS as chosen by proxy using available information - - can be used to reach a Node, Pod, or Service - - does load balancing when used to reach a Service + - is a bastion built into the apiserver + - connects a user outside of the cluster to cluster IPs which otherwise might not be reachable + - runs in the apiserver processes + - client to proxy uses HTTPS (or http if apiserver so configured) + - proxy to target may use HTTP or HTTPS as chosen by proxy using available information + - can be used to reach a Node, Pod, or Service + - does load balancing when used to reach a Service -1. The [kube proxy](/docs/concepts/services-networking/service/#ips-and-vips): +1. The [kube proxy](/docs/concepts/services-networking/service/#ips-and-vips): - - runs on each node - - proxies UDP and TCP - - does not understand HTTP - - provides load balancing - - is only used to reach services + - runs on each node + - proxies UDP and TCP + - does not understand HTTP + - provides load balancing + - is only used to reach services -1. A Proxy/Load-balancer in front of apiserver(s): +1. A Proxy/Load-balancer in front of apiserver(s): - - existence and implementation varies from cluster to cluster (e.g. nginx) - - sits between all clients and one or more apiservers - - acts as load balancer if there are several apiservers. + - existence and implementation varies from cluster to cluster (e.g. nginx) + - sits between all clients and one or more apiservers + - acts as load balancer if there are several apiservers. -1. Cloud Load Balancers on external services: +1. Cloud Load Balancers on external services: - - are provided by some cloud providers (e.g. AWS ELB, Google Cloud Load Balancer) - - are created automatically when the Kubernetes service has type `LoadBalancer` - - use UDP/TCP only - - implementation varies by cloud provider. + - are provided by some cloud providers (e.g. AWS ELB, Google Cloud Load Balancer) + - are created automatically when the Kubernetes service has type `LoadBalancer` + - use UDP/TCP only + - implementation varies by cloud provider. -Kubernetes users will typically not need to worry about anything other than the first two types. The cluster admin +Kubernetes users will typically not need to worry about anything other than the first two types. The cluster admin will typically ensure that the latter types are set up correctly. -