The examples in the k8s java client all use default client, see here.
ApiClient client = Config.defaultClient();
Configuration.setDefaultApiClient(client);
How I can config k8s client so that it can talk to k8s CRDs (say, sparkoperator) from a k8s cluster pod? How should I config this client? (basePath, authentications?) And what is the basePath I should use within a pod in the same k8s cluster?
You can use Kubernetes API, you just need to install curl.
curl http://localhost:8080/api/v1/namespaces/default/pods
Just change the localhost
to apiserver ip address
/dns name
You should read the Kubernetes API documentation.
Also, you will need to configure RBAC for access and permissions. Containers inside a cluster are populated with a token that is being used to authenticate to the API server. You can verify that by executing cat /var/run/secrets/kubernetes.io/serviceaccount/token
inside the POD
.
With that, your request to the apiserver from inside the container, might look like the following:
curl -ik \
-H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
https://kubernetes.default.svc.cluster.local/api/v1/namespaces/default/pods
You can also install the kubectl
inside the container, also setting needed permissions, see this for more details.
I recommend following reads Installing kubectl in a Kubernetes Pod and The Kubernetes API call is coming from inside the cluster!
As for other Java clients there are also unofficial client libraries like Java (OSGi) and Java (Fabric8, OSGi).
You can use the defaultClient
for that as well.
The defaultClient()
method will create a in-cluster client if the application is running inside the cluster and has the correct service account.
You can see the rules for defaultClient
from comments on the method here:
/**
* Easy client creation, follows this plan
*
* <ul>
* <li>If $KUBECONFIG is defined, use that config file.
* <li>If $HOME/.kube/config can be found, use that.
* <li>If the in-cluster service account can be found, assume in cluster config.
* <li>Default to localhost:8080 as a last resort.
* </ul>
*
* @return The best APIClient given the previously described rules
*/
So if the application using the k8s java client, run on the cluster it self, it should be able to access stuff on the cluster as long as it has correct permission. You need to allow your client application to be able to access the CRDs, like this example of ClusterRole
for CRDs of Prometheus Operator:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: prometheus-crd-view
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["monitoring.coreos.com"]
resources: ["alertmanagers", "prometheuses", "prometheusrules", "servicemonitors"]
verbs: ["get", "list", "watch"]