如何从Pod容器中访问Kubernetes api? [英] How do I access the Kubernetes api from within a pod container?

问题描述

我曾经可以卷曲

https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1beta3/namespaces/default/

作为我的基本URL，但是在kubernetes 0.18.0中，它给了我未授权".奇怪的是，如果我使用API​​机器的外部IP地址(http://172.17.8.101:8080/api/v1beta3/namespaces/default/)，它就可以正常工作.

as my base URL, but in kubernetes 0.18.0 it gives me "unauthorized". The strange thing is that if I used the external IP address of the API machine (http://172.17.8.101:8080/api/v1beta3/namespaces/default/), it works just fine.

推荐答案

在官方文档中，我发现了这一点:

In the official documentation I found this:

https ://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod

显然，我缺少了先前版本的Kubernetes不需要的安全令牌.由此，我设计出了一种比在容器上运行代理或安装golang更为简单的解决方案.请参见以下示例，该示例从api获取有关当前容器的信息:

Apparently I was missing a security token that I didn't need in a previous version of Kubernetes. From that, I devised what I think is a simpler solution than running a proxy or installing golang on my container. See this example that gets the information, from the api, for the current container:

KUBE_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" \
      https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/default/pods/$HOSTNAME

我还使用了一个简单的二进制文件jq( http://stedolan.github.io/jq /download/)，以解析供bash脚本使用的json.

I also use include a simple binary, jq (http://stedolan.github.io/jq/download/), to parse the json for use in bash scripts.

这篇关于如何从Pod容器中访问Kubernetes api?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！