通过CURL 调试k8s接口
kubectl 通过访问 Kubernetes API 来执行命令。我们也可以通过对应的TLS key, 使用curl 或是 golang client做同样的事。
API 请求必须使用 JSON 格式来发送。 kubectl 的作用是将 .yaml 转换为 JSON 格式进行 API 请求。
1、我们从查看 kubectl 的配置文件开始,需要:三个证书和 API server 的地址:
[root@node172 ~]# cat /root/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJek1EUXhNekE1TXpreE9Wb1hEVE16TURReE1EQTVNemt4T1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTVFhCi9pQUU4VXhqUW5OTDkrWDBaaFpnaUM5RnRQblNFa1NuSGk3ZkJnQlY5WnM4TmJ6Qmd6dkVXcnIyR2ZmL1p3WUoKRXRhaXJQc2VmSmZKNzgzNWl3cGExUDlUc2VWQTluTGl3QWRLVXRNZi9ZZ0FVUmdSMjlSNE94WCtmUG1GT0M1RwpHQkVkTXNRNzAyRXI3cnRMaC9aY2M5MnFna2plVERQSFBaeUJ3K2Q2bmMwOHhxekY1a21FS2s0YnZFVERET25vCmwwZFlqenlwSUVnQWsvUFU4ZGEvTG5TU0JYQ0Q0K3REWDFCcm1FblJxQmN2TVhDWnUrcmxKZmtrQ1B6ZEVpSkwKV29xMFlZNGtFdm9WZEdYbGFucW51MGlRS3ovTE9lMzJKbEdPMUhrYXJ6TkdaYnpUTldqdGJKT3FlTHpLTGZpbwpZSWhSWHY4NFgrdG5Wc24vUW5jQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZJd09OVmZvc2JDYTFkaTdZRmN2aWJCM0RKallNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBS1JHVE4rNHVJb3BIU1VzMDd3cQpVT2NtTE1PcEd0UzdVRWowK0l2VEt1MmpYLy9NYzAwcXRGUkFVOUhFZjl6T0N1TlV5WVp1NGFKZjBzY1c1L0xuCkEwbUtWVzNoRTkxMHo2K2VzZkpuNWlnZXl2NTBFemV0L1dUSzJOajZ6QUNCRFI0U2toU0xSZ0J3TFBWS1ZSQnoKTVNuejlYSms2ZytneTFCSDZKdjJUZkEwY1V4V3NLUUVCRGhpYy81ZmJSN2swcXZlZ2txZnhQU0NkU3RFb3BYVwp2U1cyZndjU3c3YW5yMWY3MDMzU1lzbjQ1aiswY0IzeVNXNWxYeWRVVE1TTlhVSTVic204ZHlzT0RGWEpPRGR3CkV2UW9NT1JnMjdMUWYvOWRNc3hyNGJrWHRiOXVNVTM1ckkrMG1Zb3NIN096dDA5SFp2YkZrQWxhaUV4cVpXeWcKeXpNPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
server: https://192.168.113.172:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURJVENDQWdtZ0F3SUJBZ0lJYm40R3JpbzlwZmN3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TXpBME1UTXdPVE01TVRsYUZ3MHlOREEwTVRJd09UTTVNak5hTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXRPVkZJdDJhUU14eGlsbWEKVUhlcGJKb1FIWkJFWThaSXRJSkt6RC8xWCtUUDg0MXRHUlVacEJ0ejJhT08yY1plSDd2dGtLR3lNK0RoTFI2OAoyam1UcFlZN3U0S2RBbCtZbVh4V3h1clROZTVPbXFIUm9XaGFVRFpwTjRUK1dQWlNYQVBPL3FybWRjRFVzaS9UCjFsUUNLNzA3NHZFOFE1dU5FQm5wY2VGejNnWUtlenAwVnZES3BlcEk3WGRNMnNvc2xQb0JzME9Fc3NzYkF2V08KN05aRFlEbmNRYkFBYTRWWm0yRkhGL2kzL05xYm5iczdrZXk4NWlaMUlIQTRISUw3Zk5KWUZhWUNLeWNjNjJTMApiRVlnWlJrbWdWVGZBdG9pTGNBU1NUdHB6VFgvM2VpcS9jMmdGeUlCSlNzelRVWXVFZkNqbytYWFgrNDhaUVR2CkZRek1HUUlEQVFBQm8xWXdWREFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JTTURqVlg2TEd3bXRYWXUyQlhMNG13ZHd5WQoyREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBYlV5Ymh1Y3R2TkF4TitjZ0ZKRlI5WkFtUG1RSkNGNE50TTExCmR2am1UR2JBY1BmMXpXU0hud0kyYTgyRkEwaUF4cEl1VG93RHAwU2tWUXFMRWlYdHJwd1BqOExiN3EySU9ZSEEKR1MzZi95VUdjV0tHaGVFTzN6bVFkVkppKzNRa0pIRmtYMDBvenlhbmNkN1VtckdPZ2xjazlFVk1aUUZ3VkphegpIVVdlNWM3NmlOU1N2VVB4ZFY3ZmY1N3V4cTl4SGdHdmRYYlViSDlNSkJseWk5OXBZbDNUOUR5Z29COTBHakRMCnhJd2pqQ1JKbWUyaVZnV2gyUkxuQ3MzSkEyVjRJVDRVZGhaK1ZQYUlrelNxekttVnk1djVXOVdsUWMvRzlIaFIKVEhDbEI5U2gwMldRSUpGZ3JKN1RrK0lHejB0SmpqV1RTdUtSWlMybU9XODY2dW4vaFE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcGdJQkFBS0NBUUVBdE9WRkl0MmFRTXh4aWxtYVVIZXBiSm9RSFpCRVk4Wkl0SUpLekQvMVgrVFA4NDF0CkdSVVpwQnR6MmFPTzJjWmVIN3Z0a0tHeU0rRGhMUjY4MmptVHBZWTd1NEtkQWwrWW1YeFd4dXJUTmU1T21xSFIKb1doYVVEWnBONFQrV1BaU1hBUE8vcXJtZGNEVXNpL1QxbFFDSzcwNzR2RThRNXVORUJucGNlRnozZ1lLZXpwMApWdkRLcGVwSTdYZE0yc29zbFBvQnMwT0Vzc3NiQXZXTzdOWkRZRG5jUWJBQWE0VlptMkZIRi9pMy9OcWJuYnM3CmtleTg1aVoxSUhBNEhJTDdmTkpZRmFZQ0t5Y2M2MlMwYkVZZ1pSa21nVlRmQXRvaUxjQVNTVHRwelRYLzNlaXEKL2MyZ0Z5SUJKU3N6VFVZdUVmQ2pvK1hYWCs0OFpRVHZGUXpNR1FJREFRQUJBb0lCQVFDWXpWMzBFSnFmQjlNVQoyWkZuVFYwWTlwNk1TblBxai9DVVFjYnE5MC9PKzluSTBuc0loL0ZMMVVDcjQrUGtBeE00M1NiVVdESE9iclBtCnlDTWdkeWhIMXJhWU1zRnI0dEpsUEVtVTU0RVgrai85a0praUxhSzBSUEhseXZxS3JTOXV1R3plWkFBZUVZL1oKSUZ0aG5UN2tNWW5ucm55SVkxbnA4dWxsbjlxZS9MRzA1Z0RIdklFT3VrQWdZRk5kUnJ3WFJHZDZLT1N4blhNYgo0anIxeWNMWWdnQmhTL09hQU1tUTBZZzRicFV3cGY4c2RqTkFQaW5pVFZkd1kySGh3UkRlNkhUYTJ1ampRd1JICjhlcXdSSUY3T2c5amxKNjBTamZXVU0yTmF1ZGhKK3Z0U3g0TzdpMC95UjYxRHRKSVhhRUdxOVI2V2x6ay9QbzgKWGxqc3NGUHhBb0dCQU52QVV5bEY3bDFYbjRTZHQ2eE1FcExFM0xiT1pzVnpPQkM0UHB4ZG9OUjEwaW41dFhVQQpwQ09kQ1JOMHZTQzIxN0I3MU1LclBlUHhtRVVOQTBFZVR1azc0T2xrc2NQRVYxTWNBYml2dlJYZFlUVjUwdTAzCkJGdndsUEpkSU5vbC8zaUFyWnJ5RjRINXNOV3BRaU1DeTA1QnFMYUplZEJVbUJyRHNQVWMrRWlGQW9HQkFOSzgKSk9lekNvalFxUjVNZHBGdTNBalRTZ0NHNjlzRDZRTlNSMDFodStwKzdsWFBvZjVCSktCNHBRSHVON3Mzc3JsQQpmM21uSDdXRVJBRkhVakJDckFQYzRBSkd1VzZzclUxTW92VmMvWkVqSlRub0F0TDYyeDFyWjR3VnhzRTUzbHc5CnM1MFBqL21lcGs1ZFlML3hHY25qVzJ2N0lBTFpMbVNvb0pCU0hGT0ZBb0dCQUtwM3RFdEZJMWFuZldncnpPck0Kakcvc1pPY3VrQXpGaDQxNHo2RVBCSThyNHQrTEJSZUJhdEx4bzdQREVGL0xWdUJoL3pjUURjL0FmNFc1UlhnRApZZVdOL0xndzA3RndvdWtteGJNV0tORklUWHRsU0ptWjN6alBGVXc1c0IxcDhwYnhBenM2WjcvOUNRK0Y0SGMyCldLNFpReDV1NE44YWNHLzZ0RkJBcTkzZEFvR0JBS05qeHdWeWx4OWZFVkR4bmhqQ3FJMmJMTXhkeis2L0NHSlAKNEFMS1hVWENabzVYNzFUUU0xTE1WN3U0ZExPT3l0N0JlRlRkVkVPTHFxS0hKdDFPUkVxMmJXUzJhejI1V3FFTgpZMmYwVXBHK2V6VjdndjBNRE9teGhkWmlaL2tYSWlYSW5VT1FkbVBuTXpDZFM4OW1ZMFZhSjE4QWxXQS8vYTJECjVRSWc5OTkxQW9HQkFJamFQb2didGNoNkdKT3N5a1JUWFZNVUUrRjE1RXM3S3Jvd1hhN0hrYWJlZnNmS3ZoR28KK3RRckg3TDByVWgzWnRBRG15aUM2MW9ZTFhLODYwODFvZXFYRTVJZWFNNjI4TUV5MDJPOFNpUWVxM2dFMzhYTgorcm5wYkhTVGtoeW10ZnMvNFlSR1pSN3hnMDVId1NQWXBhTi9nMURYSU9xM0U2bkM3d2k3VFVKQQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
[root@node172 ~]#
2、我们将会把证书设为环境变量。在设置时候请检查每一个参数。我们从 client-certificate-data 开始。
export clientcert=$(grep client-cert ~/.kube/config |cut -d" " -f 6)
echo $clientcert
3、使用类似的命令将 client-key-data 保存为环境变量
export clientkey=$(grep client-key-data ~/.kube/config |cut -d" " -f 6)
echo $clientkey
4、然后是 certificate-authority-data
export certauth=$(grep certificate-authority-data ~/.kube/config |cut -d" " -f 6)
echo $certauth
5、加密这些变量,供 curl 使用:
echo $clientcert | base64 -d > ./client.pem
echo $clientkey | base64 -d > ./client-key.pem
echo $certauth | base64 -d > ./ca.pem
6、从配置文件中读取 server 地址:
kubectl config view |grep server
server: https://192.168.113.172:6443
7、使用 curl 和刚刚加密的密钥文件来访问 API server:
curl --cert ./client.pem --key ./client-key.pem --cacert ./ca.pem https://192.168.113.172:6443/api/v1/pods