|
| 1 | +--- |
| 2 | +title: 从 Pod 中访问 Kubernetes API |
| 3 | +content_type: task |
| 4 | +weight: 120 |
| 5 | +--- |
| 6 | + |
| 7 | +<!-- |
| 8 | +title: Accessing the Kubernetes API from a Pod |
| 9 | +content_type: task |
| 10 | +weight: 120 |
| 11 | +--> |
| 12 | + |
| 13 | +<!-- overview --> |
| 14 | + |
| 15 | +<!-- |
| 16 | +This guide demonstrates how to access the Kubernetes API from within a pod. |
| 17 | +--> |
| 18 | +本指南演示了如何从 Pod 中访问 Kubernetes API。 |
| 19 | + |
| 20 | +## {{% heading "prerequisites" %}} |
| 21 | + |
| 22 | +{{< include "task-tutorial-prereqs.md" >}} |
| 23 | + |
| 24 | +<!-- steps --> |
| 25 | + |
| 26 | +<!-- |
| 27 | +## Accessing the API from within a Pod |
| 28 | +
|
| 29 | +When accessing the API from within a Pod, locating and authenticating |
| 30 | +to the API server are slightly different to the external client case. |
| 31 | +--> |
| 32 | +### 从 Pod 中访问 API {#accessing-the-api-from-within-a-pod} |
| 33 | + |
| 34 | +从 Pod 内部访问 API 时,定位 API 服务器和向服务器认证身份的操作 |
| 35 | +与外部客户端场景不同。 |
| 36 | + |
| 37 | +<!-- |
| 38 | +The easiest way to use the Kubernetes API from a Pod is to use |
| 39 | +one of the official [client libraries](/docs/reference/using-api/client-libraries/). These |
| 40 | +libraries can automatically discover the API server and authenticate. |
| 41 | +--> |
| 42 | +从 Pod 使用 Kubernetes API 的最简单的方法就是使用官方的 |
| 43 | +[客户端库](/zh/docs/reference/using-api/client-libraries/)。 |
| 44 | +这些库可以自动发现 API 服务器并进行身份验证。 |
| 45 | + |
| 46 | +<!-- |
| 47 | +### Using Official Client Libraries |
| 48 | +
|
| 49 | +From within a Pod, the recommended ways to connect to the Kubernetes API are: |
| 50 | +
|
| 51 | + - For a Go client, use the official [Go client library](https://github.com/kubernetes/client-go/). |
| 52 | + The `rest.InClusterConfig()` function handles API host discovery and authentication automatically. |
| 53 | + See [an example here](https://git.k8s.io/client-go/examples/in-cluster-client-configuration/main.go). |
| 54 | +
|
| 55 | + - For a Python client, use the official [Python client library](https://github.com/kubernetes-client/python/). |
| 56 | + The `config.load_incluster_config()` function handles API host discovery and authentication automatically. |
| 57 | + See [an example here](https://github.com/kubernetes-client/python/blob/master/examples/in_cluster_config.py). |
| 58 | +
|
| 59 | + - There are a number of other libraries available, please refer to the [Client Libraries](/docs/reference/using-api/client-libraries/) page. |
| 60 | +
|
| 61 | +In each case, the service account credentials of the Pod are used to communicate |
| 62 | +securely with the API server. |
| 63 | +--> |
| 64 | +#### 使用官方客户端库 {#using-official-client-libraries} |
| 65 | + |
| 66 | +从一个 Pod 内部连接到 Kubernetes API 的推荐方式为: |
| 67 | + |
| 68 | +- 对于 Go 语言客户端,使用官方的 [Go 客户端库](https://github.com/kubernetes/client-go/)。 |
| 69 | + 函数 `rest.InClusterConfig()` 自动处理 API 主机发现和身份认证。 |
| 70 | + 参见[这里的一个例子](https://git.k8s.io/client-go/examples/in-cluster-client-configuration/main.go)。 |
| 71 | + |
| 72 | +- 对于 Python 客户端,使用官方的 [Python 客户端库](https://github.com/kubernetes-client/python/)。 |
| 73 | + 函数 `config.load_incluster_config()` 自动处理 API 主机的发现和身份认证。 |
| 74 | + 参见[这里的一个例子](https://github.com/kubernetes-client/python/blob/master/examples/in_cluster_config.py)。 |
| 75 | + |
| 76 | +- 还有一些其他可用的客户端库,请参阅[客户端库](/zh/docs/reference/using-api/client-libraries/)页面。 |
| 77 | + |
| 78 | +在以上场景中,客户端库都使用 Pod 的服务账号凭据来与 API 服务器安全地通信。 |
| 79 | + |
| 80 | +<!-- |
| 81 | +### Directly accessing the REST API |
| 82 | +
|
| 83 | +While running in a Pod, the Kubernetes apiserver is accessible via a Service named |
| 84 | +`kubernetes` in the `default` namespace. Therefore, Pods can use the |
| 85 | +`kubernetes.default.svc` hostname to query the API server. Official client libraries |
| 86 | +do this automatically. |
| 87 | +--> |
| 88 | +#### 直接访问 REST API {#directly-accessing-the-rest-api} |
| 89 | + |
| 90 | +在运行在 Pod 中时,可以通过 `default` 命名空间中的名为 `kubernetes` 的服务访问 |
| 91 | +Kubernetes API 服务器。也就是说,Pod 可以使用 `kubernetes.default.svc` 主机名 |
| 92 | +来查询 API 服务器。官方客户端库自动完成这个工作。 |
| 93 | + |
| 94 | +<!-- |
| 95 | +The recommended way to authenticate to the API server is with a |
| 96 | +[service account](/docs/tasks/configure-pod-container/configure-service-account/) credential. By default, a Pod |
| 97 | +is associated with a service account, and a credential (token) for that |
| 98 | +service account is placed into the filesystem tree of each container in that Pod, |
| 99 | +at `/var/run/secrets/kubernetes.io/serviceaccount/token`. |
| 100 | +--> |
| 101 | +向 API 服务器进行身份认证的推荐做法是使用 |
| 102 | +[服务账号](/zh/docs/tasks/configure-pod-container/configure-service-account/)凭据。 |
| 103 | +默认情况下,每个 Pod 与一个服务账号关联,该服务账户的凭证(令牌)放置在此 Pod 中 |
| 104 | +每个容器的文件系统树中的 `/var/run/secrets/kubernetes.io/serviceaccount/token` 处。 |
| 105 | + |
| 106 | +<!-- |
| 107 | +If available, a certificate bundle is placed into the filesystem tree of each |
| 108 | +container at `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`, and should be |
| 109 | +used to verify the serving certificate of the API server. |
| 110 | +--> |
| 111 | +如果证书包可用,则凭证包被放入每个容器的文件系统树中的 |
| 112 | +`/var/run/secrets/kubernetes.io/serviceaccount/ca.crt` 处, |
| 113 | +且将被用于验证 API 服务器的服务证书。 |
| 114 | + |
| 115 | +<!-- |
| 116 | +Finally, the default namespace to be used for namespaced API operations is placed in a file |
| 117 | +at `/var/run/secrets/kubernetes.io/serviceaccount/namespace` in each container. |
| 118 | +--> |
| 119 | +最后,用于命名空间域 API 操作的默认命名空间放置在每个容器中的 |
| 120 | +`/var/run/secrets/kubernetes.io/serviceaccount/namespace` 文件中。 |
| 121 | + |
| 122 | +<!-- |
| 123 | +### Using kubectl proxy |
| 124 | +
|
| 125 | +If you would like to query the API without an official client library, you can run `kubectl proxy` |
| 126 | +as the [command](/docs/tasks/inject-data-application/define-command-argument-container/) |
| 127 | +of a new sidecar container in the Pod. This way, `kubectl proxy` will authenticate |
| 128 | +to the API and expose it on the `localhost` interface of the Pod, so that other containers |
| 129 | +in the Pod can use it directly. |
| 130 | +--> |
| 131 | +#### 使用 kubectl proxy {#use-kubectl-proxy} |
| 132 | + |
| 133 | +如果你希望不使用官方客户端库就完成 API 查询,可以将 `kubectl proxy` 作为 |
| 134 | +[command](/zh/docs/tasks/inject-data-application/define-command-argument-container/) |
| 135 | +在 Pod 中启动一个边车(Sidecar)容器。这样,`kubectl proxy` 自动完成对 API |
| 136 | +的身份认证,并将其暴露到 Pod 的 `localhost` 接口,从而 Pod 中的其他容器可以 |
| 137 | +直接使用 API。 |
| 138 | + |
| 139 | +<!-- |
| 140 | +### Without using a proxy |
| 141 | +
|
| 142 | +It is possible to avoid using the kubectl proxy by passing the authentication token |
| 143 | +directly to the API server. The internal certificate secures the connection. |
| 144 | +--> |
| 145 | +### 不使用代理 {#without-using-a-proxy} |
| 146 | + |
| 147 | +通过将认证令牌直接发送到 API 服务器,也可以避免运行 kubectl proxy 命令。 |
| 148 | +内部的证书机制能够为链接提供保护。 |
| 149 | + |
| 150 | +```shell |
| 151 | +# 指向内部 API 服务器的主机名 |
| 152 | +APISERVER=https://kubernetes.default.svc |
| 153 | + |
| 154 | +# 服务账号令牌的路径 |
| 155 | +SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount |
| 156 | + |
| 157 | +# 读取 Pod 的名字空间 |
| 158 | +NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) |
| 159 | + |
| 160 | +# 读取服务账号的持有者令牌 |
| 161 | +TOKEN=$(cat ${SERVICEACCOUNT}/token) |
| 162 | + |
| 163 | +# 引用内部证书机构(CA) |
| 164 | +CACERT=${SERVICEACCOUNT}/ca.crt |
| 165 | + |
| 166 | +# 使用令牌访问 API |
| 167 | +curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api |
| 168 | +``` |
| 169 | + |
| 170 | +<!-- |
| 171 | +The output will be similar to this: |
| 172 | +--> |
| 173 | +输出类似于: |
| 174 | + |
| 175 | +```json |
| 176 | +{ |
| 177 | + "kind": "APIVersions", |
| 178 | + "versions": [ |
| 179 | + "v1" |
| 180 | + ], |
| 181 | + "serverAddressByClientCIDRs": [ |
| 182 | + { |
| 183 | + "clientCIDR": "0.0.0.0/0", |
| 184 | + "serverAddress": "10.0.1.149:443" |
| 185 | + } |
| 186 | + ] |
| 187 | +} |
| 188 | +``` |
0 commit comments