K
Q

Remote Access to Kubernetes API Without the Proxy

4/9/2016

I am trying to gain remote access to the Kubernetes API (primarily from our Jenkins server) so we can perform RESTful actions and not rely on kubectl. Ideally, I'd like to do this in Go or Python but none of the libraries I have tried have been successful, and using urllib2 directly returns a variety of errors. I have been able to connect via curl (albeit with some weird errors as well) but I was hoping to not have to form curl GET/PUT requests for all of this.

So my question is: can some kind soul (perhaps someone from Google?) outline the steps I need to properly auth with the Kubernetes API server from a remote location? Any guidance is greatly appreciate as I am interested in learning more about x509 but am struggling to tie all of the pieces together.

Curl structure which basically works

These .pem files were manually created from the values in ~/.kube/config

$ curl --header "Authorization: Bearer $TOKEN" -key key.pem -cacert ca.pem -cert client.pem https://MASTER_IP/api
curl: (6) Could not resolve host: key.pem
curl: (6) Could not resolve host: ca.pem
curl: (6) Could not resolve host: client.pem
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "172.20.0.9:443"
    }
  ]
}

4/14/2016 Update So it seems that I needed to rename some of these as .crt files. After reading about potential issues with curl, I gave wget a go and it seems to have no problems, without even specifying an auth header. Any insight into client based authentication is appreciated.

$ wget -qO- https://MASTER_IP/api --certificate client-decoded.crt --private-key clean-key.pem --ca-certificate ca.crt
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "172.20.0.9:443"
    }
  ]
}
-- smugcloud
client-certificates
kubernetes
python
x509certificate

Similar Questions

nginx reverse proxying wss - client sent invalid method while reading client request line
Error attaching azureFile to kubernetes pod
Is it possible to add swap space on kubernetes nodes?
Load balancing Kubernetes cluster across two different cloud providers

1 Answer

6/1/2016

Have a look at the client libraries supported (https://github.com/kubernetes/kubernetes/blob/release-1.2/docs/devel/client-libraries.md).

To connect with the official Go client something like this should work, you can easily pass in a kubeCfgFile and then the client will use that to connect:

func newKubeClient() (*kclient.Client, error) {
    var (
        config    *kclient.Config
        err       error
        masterURL string
    )

    if *argKubeMasterURL != "" {
        masterURL, err = expandKubeMasterURL()

        if err != nil {
            return nil, err
        }
    }

    if masterURL != "" && *argKubecfgFile == "" {
        config = &kclient.Config{
            Host:    masterURL,
            Version: "v1",
        }
    } else {
        overrides := &kclientcmd.ConfigOverrides{}
        overrides.ClusterInfo.Server = masterURL
        rules := &kclientcmd.ClientConfigLoadingRules{ExplicitPath: *argKubecfgFile}
        if config, err = kclientcmd.NewNonInteractiveDeferredLoadingClientConfig(rules, overrides).ClientConfig(); err != nil {
            return nil, err
        }
    }

    glog.Infof("Using %s for kubernetes master", config.Host)
    glog.Infof("Using kubernetes API %s", config.Version)
    return kclient.New(config)
}
-- Steve Sloka
Source: StackOverflow