kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #43841 from windsonsea/clusty 

Clean up access-application-cluster/access-cluster
pull/44033/head
Kubernetes Prow Robot 2023-11-22 10:01:19 +01:00 committed by GitHub
parent 957b08bb43 7e323ad800
commit fb8f9b844a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 66 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

124
content/en/docs/tasks/access-application-cluster/access-cluster.md
View File

@ -16,7 +16,7 @@ When accessing the Kubernetes API for the first time, we suggest using the
Kubernetes CLI, `kubectl`. Kubernetes CLI, `kubectl`.
To access a cluster, you need to know the location of the cluster and have credentials To access a cluster, you need to know the location of the cluster and have credentials
to access it. Typically, this is automatically set-up when you work through to access it. Typically, this is automatically set-up when you work through
a [Getting started guide](/docs/setup/), a [Getting started guide](/docs/setup/),
or someone else set up the cluster and provided you with credentials and a location. or someone else set up the cluster and provided you with credentials and a location.
@ -36,20 +36,20 @@ Kubectl handles locating and authenticating to the apiserver.
If you want to directly access the REST API with an http client like If you want to directly access the REST API with an http client like
curl or wget, or a browser, there are several ways to locate and authenticate: curl or wget, or a browser, there are several ways to locate and authenticate:
- Run kubectl in proxy mode. - Run kubectl in proxy mode.
- Recommended approach. - Recommended approach.
- Uses stored apiserver location. - Uses stored apiserver location.
- Verifies identity of apiserver using self-signed cert. No MITM possible. - Verifies identity of apiserver using self-signed cert. No MITM possible.
- Authenticates to apiserver. - Authenticates to apiserver.
- In future, may do intelligent client-side load-balancing and failover. - In future, may do intelligent client-side load-balancing and failover.
- Provide the location and credentials directly to the http client. - Provide the location and credentials directly to the http client.
- Alternate approach. - Alternate approach.
- Works with some types of client code that are confused by using a proxy. - Works with some types of client code that are confused by using a proxy.
- Need to import a root cert into your browser to protect against MITM. - Need to import a root cert into your browser to protect against MITM.
### Using kubectl proxy ### Using kubectl proxy
The following command runs kubectl in a mode where it acts as a reverse proxy. It handles The following command runs kubectl in a mode where it acts as a reverse proxy. It handles
locating the apiserver and authenticating. locating the apiserver and authenticating.
Run it like this: Run it like this:
@ -83,7 +83,6 @@ The output is similar to this:
} }
``` ```
### Without kubectl proxy ### Without kubectl proxy
Use `kubectl apply` and `kubectl describe secret...` to create a token for the default service account with grep/cut: Use `kubectl apply` and `kubectl describe secret...` to create a token for the default service account with grep/cut:
@ -163,16 +162,16 @@ The output is similar to this:
} }
``` ```
The above examples use the `--insecure` flag. This leaves it subject to MITM The above examples use the `--insecure` flag. This leaves it subject to MITM
attacks. When kubectl accesses the cluster it uses a stored root certificate attacks. When kubectl accesses the cluster it uses a stored root certificate
and client certificates to access the server. (These are installed in the and client certificates to access the server. (These are installed in the
`~/.kube` directory). Since cluster certificates are typically self-signed, it `~/.kube` directory). Since cluster certificates are typically self-signed, it
may take special configuration to get your http client to use root may take special configuration to get your http client to use root
certificate. certificate.
On some clusters, the apiserver does not require authentication; it may serve On some clusters, the apiserver does not require authentication; it may serve
on localhost, or be protected by a firewall. There is not a standard on localhost, or be protected by a firewall. There is not a standard
for this. [Controlling Access to the API](/docs/concepts/security/controlling-access) for this. [Controlling Access to the API](/docs/concepts/security/controlling-access)
describes how a cluster admin can configure this. describes how a cluster admin can configure this.
## Programmatic access to the API ## Programmatic access to the API
@ -182,20 +181,30 @@ client libraries.
### Go client ### Go client
* To get the library, run the following command: `go get k8s.io/client-go@kubernetes-<kubernetes-version-number>`, see [INSTALL.md](https://github.com/kubernetes/client-go/blob/master/INSTALL.md#for-the-casual-user) for detailed installation instructions. See [https://github.com/kubernetes/client-go](https://github.com/kubernetes/client-go#compatibility-matrix) to see which versions are supported. * To get the library, run the following command: `go get k8s.io/client-go@kubernetes-<kubernetes-version-number>`,
* Write an application atop of the client-go clients. Note that client-go defines its own API objects, so if needed, please import API definitions from client-go rather than from the main repository, e.g., `import "k8s.io/client-go/kubernetes"` is correct. see [INSTALL.md](https://github.com/kubernetes/client-go/blob/master/INSTALL.md#for-the-casual-user)
for detailed installation instructions. See
[https://github.com/kubernetes/client-go](https://github.com/kubernetes/client-go#compatibility-matrix)
to see which versions are supported.
* Write an application atop of the client-go clients. Note that client-go defines its own API objects,
so if needed, please import API definitions from client-go rather than from the main repository,
e.g., `import "k8s.io/client-go/kubernetes"` is correct.
The Go client can use the same [kubeconfig file](/docs/concepts/configuration/organize-cluster-access-kubeconfig/) The Go client can use the same [kubeconfig file](/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
as the kubectl CLI does to locate and authenticate to the apiserver. See this [example](https://git.k8s.io/client-go/examples/out-of-cluster-client-configuration/main.go). as the kubectl CLI does to locate and authenticate to the apiserver. See this
[example](https://git.k8s.io/client-go/examples/out-of-cluster-client-configuration/main.go).
If the application is deployed as a Pod in the cluster, please refer to the [next section](#accessing-the-api-from-a-pod). If the application is deployed as a Pod in the cluster, please refer to the [next section](#accessing-the-api-from-a-pod).
### Python client ### Python client
To use [Python client](https://github.com/kubernetes-client/python), run the following command: `pip install kubernetes`. See [Python Client Library page](https://github.com/kubernetes-client/python) for more installation options. To use [Python client](https://github.com/kubernetes-client/python), run the following command:
`pip install kubernetes`. See [Python Client Library page](https://github.com/kubernetes-client/python)
for more installation options.
The Python client can use the same [kubeconfig file](/docs/concepts/configuration/organize-cluster-access-kubeconfig/) The Python client can use the same [kubeconfig file](/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
as the kubectl CLI does to locate and authenticate to the apiserver. See this [example](https://github.com/kubernetes-client/python/tree/master/examples). as the kubectl CLI does to locate and authenticate to the apiserver. See this
[example](https://github.com/kubernetes-client/python/tree/master/examples).
### Other languages ### Other languages
@ -218,52 +227,51 @@ For information about connecting to other services running on a Kubernetes clust
## Requesting redirects ## Requesting redirects
The redirect capabilities have been deprecated and removed. Please use a proxy (see below) instead. The redirect capabilities have been deprecated and removed. Please use a proxy (see below) instead.
## So Many Proxies ## So many proxies
There are several different proxies you may encounter when using Kubernetes: There are several different proxies you may encounter when using Kubernetes:
1. The [kubectl proxy](#directly-accessing-the-rest-api): 1. The [kubectl proxy](#directly-accessing-the-rest-api):
- runs on a user's desktop or in a pod - runs on a user's desktop or in a pod
- proxies from a localhost address to the Kubernetes apiserver - proxies from a localhost address to the Kubernetes apiserver
- client to proxy uses HTTP - client to proxy uses HTTP
- proxy to apiserver uses HTTPS - proxy to apiserver uses HTTPS
- locates apiserver - locates apiserver
- adds authentication headers - adds authentication headers
1. The [apiserver proxy](/docs/tasks/access-application-cluster/access-cluster-services/#discovering-builtin-services): 1. The [apiserver proxy](/docs/tasks/access-application-cluster/access-cluster-services/#discovering-builtin-services):
- is a bastion built into the apiserver - is a bastion built into the apiserver
- connects a user outside of the cluster to cluster IPs which otherwise might not be reachable - connects a user outside of the cluster to cluster IPs which otherwise might not be reachable
- runs in the apiserver processes - runs in the apiserver processes
- client to proxy uses HTTPS (or http if apiserver so configured) - client to proxy uses HTTPS (or http if apiserver so configured)
- proxy to target may use HTTP or HTTPS as chosen by proxy using available information - proxy to target may use HTTP or HTTPS as chosen by proxy using available information
- can be used to reach a Node, Pod, or Service - can be used to reach a Node, Pod, or Service
- does load balancing when used to reach a Service - does load balancing when used to reach a Service
1. The [kube proxy](/docs/concepts/services-networking/service/#ips-and-vips): 1. The [kube proxy](/docs/concepts/services-networking/service/#ips-and-vips):
- runs on each node - runs on each node
- proxies UDP and TCP - proxies UDP and TCP
- does not understand HTTP - does not understand HTTP
- provides load balancing - provides load balancing
- is only used to reach services - is only used to reach services
1. A Proxy/Load-balancer in front of apiserver(s): 1. A Proxy/Load-balancer in front of apiserver(s):
- existence and implementation varies from cluster to cluster (e.g. nginx) - existence and implementation varies from cluster to cluster (e.g. nginx)
- sits between all clients and one or more apiservers - sits between all clients and one or more apiservers
- acts as load balancer if there are several apiservers. - acts as load balancer if there are several apiservers.
1. Cloud Load Balancers on external services: 1. Cloud Load Balancers on external services:
- are provided by some cloud providers (e.g. AWS ELB, Google Cloud Load Balancer) - are provided by some cloud providers (e.g. AWS ELB, Google Cloud Load Balancer)
- are created automatically when the Kubernetes service has type `LoadBalancer` - are created automatically when the Kubernetes service has type `LoadBalancer`
- use UDP/TCP only - use UDP/TCP only
- implementation varies by cloud provider. - implementation varies by cloud provider.
Kubernetes users will typically not need to worry about anything other than the first two types. The cluster admin Kubernetes users will typically not need to worry about anything other than the first two types. The cluster admin
will typically ensure that the latter types are set up correctly. will typically ensure that the latter types are set up correctly.