[系统运维]curl 访问k8s https 证书和token 几种方式

[root@localhost ~]# curl  https://172.16.10.87:6443/api/v1/namespaces
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

这是由于缺少 ca 证书，在集群 master 服务器通过下面的命令拿到 ca 证书

kubectl get secret \
    $(kubectl get secrets | grep default-token | awk '{print $1}') \
    -o jsonpath="{['data']['ca\.crt']}" | base64 --decode

?我这个证书，由于是rancher 部署的k8s所有证书是rancher生成的

[root@localhost ssl]# curl --cacert /etc/kubernetes/ssl/kube-ca.pem  --cert /etc/kubernetes/ssl/kube-apiserver.pem --key  /etc/kubernetes/ssl/kube-apiserver-key.pem   https://172.16.10.87:6443/api
{
  "kind": "APIVersions",
  "versions": [
    "v1"
  ],
  "serverAddressByClientCIDRs": [
    {
      "clientCIDR": "0.0.0.0/0",
      "serverAddress": "172.16.10.87:6443"
    }
  ]
}[root@localhost ssl]# curl --cacert /etc/kubernetes/ssl/kube-ca.pem  --cert /etc/kubernetes/ssl/kube-apiserver.pem --key  /etc/kubernetes/ssl/kube-apiserver-key.pem   https://17216.10.87:6443/api/v1/namespaces
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "namespaces is forbidden: User \"kube-apiserver\" cannot list resource \"namespaces\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "namespaces"
  },
  "code": 403

?但是权限不够，需要自己生成token，sa，和集群admin绑定获取最高权限

这是由于缺少与 ServiceAccount 对应的 access token ，创建一个 ServiceAccount

kubectl create serviceaccount wubo-sa -n kube-system

将该账号加入到 cluster-admin 角色

kubectl create clusterrolebinding wubo-sa-binding --clusterrole=cluster-admin --serviceaccount=kube-system:wubo-sa -n kube-system

拿到该账号对应的 access token

kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep wubo-sa  | awk '{print $1}')

TOKEN="上面获取的token"

curl 命令带上 access token 连接集群

curl --cacert ca.crt -H "Authorization: Bearer $TOKEN"  https://k8s-api:6443

连接成功

[root@localhost ~]# curl --cacert /etc/kubernetes/ssl/kube-ca.pem  -H "Authorization: Bearer $TOKEN"   https://172.16.10.87:6443/api/v1/namespaces
{
  "kind": "NamespaceList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/api/v1/namespaces",
    "resourceVersion": "3298896"
  },
  "items": [
    {
      "metadata": {
        "name": "cattle-system",
        "selfLink": "/api/v1/namespaces/cattle-system",
        "uid": "fff268f0-97d1-4e96-bf0f-99968866c25c",
        "resourceVersion": "1015",
        "creationTimestamp": "2021-12-01T05:37:59Z",
        "labels": {
          "field.cattle.io/projectId": "p-mr2hv"
        },
        "annotations": {
          "cattle.io/status": "{\"Conditions\":[{\"Type\":\"ResourceQuotaInit\",\"Status\":\"True\",\"Message\":\"\",\"LastUpdateTime\":\"2021-12-01T05:38:07Z\"},{\"Type\":\"InitialRolesPopulated\",\"Status\":\"True\",\"Message\":\"\",\"LastUpdateTime\":\"2021-12-01T05:38:12Z\"}]}",
          "field.cattle.io/projectId": "c-t5kwm:p-mr2hv",
          "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Namespace\",\"metadata\":{\"annotations\":{},\"name\":\"cattle-system\"}}\n",
          "lifecycle.cattle.io/create.namespace-auth": "true"
        },
        "finalizers": [
          "controller.cattle.io/namespace-auth"
        ]
      },
      "spec": {
        "finalizers": [
          "kubernetes"
        ]
      },
      "status": {
        "phase": "Active"
      }
    },
    {
      "metadata": {
        "name": "default",
        "selfLink": "/api/v1/namespaces/default",
        "uid": "5afcefbf-a3c0-4355-b836-56817021b10c",
        "resourceVersion": "1008",
        "creationTimestamp": "2021-12-01T05:37:10Z",
        "labels": {
          "field.cattle.io/projectId": "p-vqvrc"
        },
        "annotations": {
          "cattle.io/status": "{\"Conditions\":[{\"Type\":\"ResourceQuotaInit\",\"Status\":\"True\",\"Message\":\"\",\"LastUpdateTime\":\"2021-12-01T05:38:07Z\"},{\"Type\":\"InitialRolesPopulated\",\"Status\":\"True\",\"Message\":\"\",\"LastUpdateTime\":\"2021-12-01T05:38:12Z\"}]}",
          "field.cattle.io/projectId": "c-t5kwm:p-vqvrc",
          "lifecycle.cattle.io/create.namespace-auth": "true"
        },
        "finalizers": [
          "controller.cattle.io/namespace-auth"
        ]
      },
      "spec": {
        "finalizers": [
          "kubernetes"
        ]
      },
      "status": {

连接集群三要素：
1）control plane 地址（api server 地址）
2）集群 ca 证书
3）ServiceAccount token（访问 api server 的 access token）

===================================================

大多数K8S API资源类型是“objects”,代表群集上的概念的具体实例，如pod或namespace。少数API资源类型是virtual，通常表示操作而不是对象，例如权限检查。所有对象都将具有唯一的名称以允许幂等创建和检索，但如果virtual资源类型不可检索或不依赖于幂等，则virtual资源类型可能不具有唯一名称。

1.使用kubectl proxy访问

1.1.本地监听

启动kubectl proxy，不带任何参数只在本地监听，使用的是http协议,无需提供任何凭证就可以访问

[root@localhost ~]# kubectl proxy
Starting to serve on 127.0.0.1:8001

验证api访问

[root@localhost ~]# curl http://127.0.0.1:8001
{"type":"collection","links":{"self":"https://127.0.0.1:8001/"},"actions":{},"pagination":{"limit":1000,"total":4},"sort":{"order":"asc","reverse":"https://127.0.0.1:8001/?order=desc"},"resourceType":"apiRoot","data":[{"apiVersion":{"group":"meta.cattle.io","path":"/meta","version":"v1"},"baseType":"apiRoot","links":{"apiRoots":"https://127.0.0.1:8001/meta/apiroots","root":"https://127.0.0.1:8001/meta","schemas":"https://127.0.0.1:8001/meta/schemas","self":"https://127.0.0.1:8001/meta","subscribe":"https://127.0.0.1:8001/meta/subscribe"},"type":"apiRoot"},{"apiVersion":{"group":"management.cattle.io","path":"/v3","version":"v3"},"baseType":"apiRoot","links":{"authConfigs":"https://127.0.0.1:8001/v3/authconfigs","catalogs":"https://127.0.0.1:8001/v3/catalogs","cloudCredentials":"https://127.0.0.1:8001/v3/cloudcredentials","clusterAlertGroups":"https://127.0.0.1:8001/v3/clusteralertgroups","clusterAlertRules":"https://127.0.0.1:8001/v3/clusteralertrules","clusterAlerts":"https://127.0.0.1:8001/v3/clusteralerts","clusterCatalogs":"https://127.0.0.1:8001/v3/clustercatalogs","clusterLoggings":"https://127.0.0.1:8001/v3/clusterloggings","clusterMonitorGraphs":"https://127.0.0.1:8001/v3/clustermonitorgraphs","clusterRegistrationTokens":"https://127.0.0.1:8001/v3/clusterregistrationtokens","clusterRoleTemplateBindings":"https://127.0.0.1:8001/v3/clusterroletemplatebindings","clusterScans":"https://127.0.0.1:8001/v3/clusterscans","clusterTemplateRevisions":"https://127.0.0.1:8001/v3/clustertemplaterevisions","clusterTemplates":"https://127.0.0.1:8001/v3/clustertemplates","clusters":"https://127.0.0.1:8001/v3/clusters","composeConfigs":"https://127.0.0.1:8001/v3/composeconfigs","dynamicSchemas":"https://127.0.0.1:8001/v3/dynamicschemas","etcdBackups":"https://127.0.0.1:8001/v3/etcdbackups","features":"https://127.0.0.1:8001/v3/features","globalRoleBindings":"https://127.0.0.1:8001/v3/globalrolebindings","globalRoles":"https://127.0.0.1:8001/v3/globalroles","groupMembers":"https://127.0.0.1:8001/v3/groupmembers","groups":"https://127.0.0.1:8001/v3/groups","kontainerDrivers":"https://127.0.0.1:8001/v3/kontainerdrivers","ldapConfigs":"https://127.0.0.1:8001/v3/ldapconfigs","listenConfigs":"https://127.0.0.1:8001/v3/listenconfigs","managementSecrets":"https://127.0.0.1:8001/v3/managementsecrets","monitorMetrics":"https://127.0.0.1:8001/v3/monitormetrics","multiClusterAppRevisions":"https://127.0.0.1:8001/v3/multiclusterapprevisions","multiClusterApps":"https://127.0.0.1:8001/v3/multiclusterapps","nodeDrivers":"https://127.0.0.1:8001/v3/nodedrivers","nodePools":"https://127.0.0.1:8001/v3/nodepools","nodeTemplates":"https://127.0.0.1:8001/v3/nodetemplates","nodes":"https://127.0.0.1:8001/v3/nodes","notifiers":"https://127.0.0.1:8001/v3/notifiers","podSecurityPolicyTemplateProjectBindings":"https://127.0.0.1:8001/v3/podsecuritypolicytemplateprojectbindings","podSecurityPolicyTemplates":"https://127.0.0.1:8001/v3/podsecuritypolicytemplates","preferences":"https://127.0.0.1:8001/v3/preferences","principals":"https://127.0.0.1:8001/v3/principals","projectAlertGroups":"https://127.0.0.1:8001/v3/projectalertgroups","projectAl

但是访问无效，不知道什么原因

[root@localhost ~]# curl http://127.0.0.1:8001/api
404 page not found

1.2.网络监听

启动kubectl proxy，使用网卡IP，从其他机器访问， --accept-hosts='^*$' 表示接受所有源IP,否则会显示不被授权

[root@localhost ~]# kubectl proxy --address='172.16.10.87'  --accept-hosts='^*$' --port=9999   
Starting to serve on 172.16.10.87:9999

验证通1.1一样

2.直接访问api

2.1.获取集群名称和api地址

[root@localhost ~]# kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'
Cluster name	Server
jettech	https://172.16.10.87:8443/k8s/clusters/c-t5kwm
jettech-172.16.10.87	https://172.16.10.87:6443

[root@localhost ~]#  export CLUSTER_NAME="jettech"

[root@localhost ~]# APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")

[root@localhost ~]# echo $APISERVER
https://172.16.10.87:8443/k8s/clusters/c-t5kwm

2.2.使用serviceaccount来访问

创建serviceaccount并绑定集群角色cluster-admin

[root@localhost ~]# kubectl create serviceaccount  sa-wubo
serviceaccount/sa-wubo created
[root@localhost ~]# kubectl create clusterrolebinding   sa-wubo-cluster-admin --clusterrole='cluster-admin' --serviceaccount=default:sa-wubo
clusterrolebinding.rbac.authorization.k8s.io/sa-wubo-cluster-admin created

[root@localhost ~]# kubectl get sa | grep wubo
sa-wubo   1         24s

查看sa
[root@localhost ~]# kubectl describe sa sa-wubo
Name:                sa-wubo
Namespace:           default
Labels:              <none>
Annotations:         <none>
Image pull secrets:  <none>
Mountable secrets:   sa-wubo-token-ggp2h
Tokens:              sa-wubo-token-ggp2h
Events:              <none

查看clusterrolebinding
[root@localhost ~]# kubectl get clusterrolebinding | grep sa-wubo-cluster-admin
sa-wubo-cluster-admin                                  44s
[root@localhost ~]# kubectl describe clusterrolebinding  sa-wubo-cluster-admin
Name:         sa-wubo-cluster-admin
Labels:       <none>
Annotations:  <none>
Role:
  Kind:  ClusterRole
  Name:  cluster-admin
Subjects:
  Kind            Name     Namespace
  ----            ----     ---------
  ServiceAccount  sa-wubo  default

查看secrets  在创建sa的时候回自动创建sercets sa和setcrets都有namespaces这么一说，如
[root@localhost ~]# kubectl get secrets --all-namespaces | grep wubo
default           sa-wubo-token-ggp2h                              kubernetes.io/service-account-token   3      3m10s
kube-system       wubo-admin-token-2twrk                           kubernetes.io/service-account-token   3      22h


[root@localhost ~]# kubectl get secrets
NAME                  TYPE                                  DATA   AGE
default-token-db9qp   kubernetes.io/service-account-token   3      15d
sa-wubo-token-ggp2h   kubernetes.io/service-account-token   3      118s
[root@localhost ~]# kubectl get secrets | grep sa-wubo-token-ggp2h
sa-wubo-token-ggp2h   kubernetes.io/service-account-token   3      2m4s
[root@localhost ~]# kubectl describe secrets sa-wubo-token-ggp2h
Name:         sa-wubo-token-ggp2h
Namespace:    default
Labels:       <none>
Annotations:  kubernetes.io/service-account.name: sa-wubo
              kubernetes.io/service-account.uid: a182ecb9-8ddf-42f0-b1c9-4a45c63066c2

Type:  kubernetes.io/service-account-token

Data
====
ca.crt:     1017 bytes
namespace:  7 bytes
token:      eyJhbGciOiJSUzI1NiIsImtpZCI6Ikt0R3c2S1lTTUxKQUVNX3U0OWpzSS1iN2NYcnRXcE5aRWlCdjZYa2xuaWMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InNhLXd1Ym8tdG9rZW4tZ2dwMmgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoic2Etd3VibyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImExODJlY2I5LThkZGYtNDJmMC1iMWM5LTRhNDVjNjMwNjZjMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnNhLXd1Ym8ifQ.d-N3sRybudYaolQBtDeh4mS3k5BvTTYD5J4jqEVKqkRtLccg4KYA9vN_7zhqwbBE3IaY5oWlecwfz_G3a-f4g04SLum5mgGWq05U14lohIwzyGQiCrOPFjP9zWj6RqqNk9yS1_rjf9vCkV7nIIv1jKfWjLnoCaUvbpz5whCeOLgckKch87HYjfjrcqC0uWschhfKXJyLyJo3xUhIoOy0AgXmI0GKXEFRuir1A-fSbd-Kv5Ze8GTI1uIn1P4vS4chGBVthWQxIqT1tBm-PCxkr9LvlPj3XzaxU_qTKOEeZEjghjVUwW2weq9OwrcPP6ztgnLAHpy1bK_51gVEXSLs1w

获取serviceaccount sa-wubo的secret token

[root@localhost ~]# TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='sa-wubo')].data.token}"|base64 -d)
[root@localhost ~]# echo $TOKEN
eyJhbGciOiJSUzI1NiIsImtpZCI6Ikt0R3c2S1lTTUxKQUVNX3U0OWpzSS1iN2NYcnRXcE5aRWlCdjZYa2xuaWMifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InNhLXd1Ym8tdG9rZW4tZ2dwMmgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoic2Etd3VibyIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImExODJlY2I5LThkZGYtNDJmMC1iMWM5LTRhNDVjNjMwNjZjMiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OnNhLXd1Ym8ifQ.d-N3sRybudYaolQBtDeh4mS3k5BvTTYD5J4jqEVKqkRtLccg4KYA9vN_7zhqwbBE3IaY5oWlecwfz_G3a-f4g04SLum5mgGWq05U14lohIwzyGQiCrOPFjP9zWj6RqqNk9yS1_rjf9vCkV7nIIv1jKfWjLnoCaUvbpz5whCeOLgckKch87HYjfjrcqC0uWschhfKXJyLyJo3xUhIoOy0AgXmI0GKXEFRuir1A-fSbd-Kv5Ze8GTI1uIn1P4vS4chGBVthWQxIqT1tBm-PCxkr9LvlPj3XzaxU_qTKOEeZEjghjVUwW2weq9OwrcPP6ztgnLAHpy1bK_51gVEXSLs1w

使用token访问api

非rancher部署方式，应为这样获取的APISERVER是rancher信息不是k8s信息
[root@localhost ~]# curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET $APISERVER/api/v1/namespaces/test/pods?limit=1
[root@localhost ~]# curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET $APISERVER/api/v1/namespaces/default/pods?limit=1
[root@localhost ~]# curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET $APISERVER/api/v1/namespaces/kube-system/pods?limit=1

https:方式，ca根证书是我通过rancher2部署k8s生成的
[root@localhost ~]# curl --cacert /etc/kubernetes/ssl/kube-ca.pem  -H "Authorization: Bearer $TOKEN"   https://172.16.10.87:6443/api/v1/namespaces

[root@localhost ~]#curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/api/v1/namespaces/test/pods?limit=1

serviceaccount虽然是区分namespace的，但是不影响使用这个token访问所有namespace的资源

2.3.使用useraccount来访问

创建user wubo的证书

[root@localhost work]# openssl genrsa -out wubo.key 2048
CN就是username
[root@localhost work]#openssl req -new -key wubo.key -out wubo.csr -subj "/CN=wubo"
[root@localhost work]#cp /etc/kubernetes/ssl/{}kube-ca-key.pem,kube-ca.pem} .
[root@localhost work]#openssl x509 -req -in wubo.csr -out wubo.crt -sha1 -CA kube-ca.pem -CAkey kube-ca-key.pem  -CAcreateserial -days 3650

创建角色getpods，创建角色绑定user wubo和role getpods

[root@localhost work]# kubectl create role getpods --verb=get --verb=list --resource=pods
[root@localhost work]# kubectl create rolebinding wubo-getpods --role=getpods --user=wubo --namespace=default

验证访问是否正常

[root@localhost work]# curl --cert /etc/kubernetes/pki/wubo.crt   -X GET $APISERVER/api/v1/namespaces/default/pods?limit=1 --key /etc/kubernetes/pki/wubo.key  --insecure

验证用户wubo不具备访问namespace kube-system的权限

curl --cert /etc/kubernetes/pki/wubo.crt   -X GET $APISERVER/api/v1/namespaces/kube-system/pods?limit=1 --key /etc/kubernetes/pki/wubo.key  --insecure
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "pods is forbidden: User \"wubo\" cannot list resource \"pods\" in API group \"\" in the namespace \"kube-system\"",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403
}

3.常用api资源

以下为常用资源的URL路径，将/apis/GROUP/VERSION/替换为/api/v1/,则表示基础API组

/apis/GROUP/VERSION/RESOURCETYPE
/apis/GROUP/VERSION/RESOURCETYPE/NAME
/apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE
/apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME
/apis/GROUP/VERSION/RESOURCETYPE/NAME/SUBRESOURCE
/apis/GROUP/VERSION/namespaces/NAMESPACE/RESOURCETYPE/NAME/SUBRESOURCE

查看扩展api里的资源deployments

curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/apis/extensions/v1beta1/namespaces/kube-system/deployments

查看基础api里的资源pods

curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/api/v1/namespaces/kube-system/pods/

3.1.使用watch持续监控资源的变化

[root@localhost work]# curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/api/v1/namespaces/test/pods
"resourceVersion": "3508026"
[root@localhost work]# curl --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/api/v1/namespaces/test/pods?watch=1&resourceVersion=2563046

3.2.查看前n个资源

[root@localhost work]# curl  --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/api/v1/namespaces/kube-system/pods?limit=1 | grep continue
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  5648    0  5648    0     0  44394      0 --:--:-- --:--:-- --:--    "continue": "eyJ2IjoibWV0YS5rOHMuaW8vdjEiLCJydiI6MzUwODczMCwic3RhcnQiOiJjYWxpY28ta3ViZS1jb250cm9sbGVycy03ODQ2NzQ3NmIteHNtYm5cdTAwMDAifQ",
:-- 44472

使用continue token查看下n个资源

[root@localhost work]# curl  --header "Authorization: Bearer $TOKEN" --insecure  -X GET https://172.16.10.87:6443/api/v1/namespaces/kube-system/pods?limit=1&continue=eyJ2IjoibWV0YS5rOHMuaW8vdjEiLCJydiI6MzUwODczMCwic3RhcnQiOiJjYWxpY28ta3ViZS1jb250cm9sbGVycy03ODQ2NzQ3NmIteHNtYm5cdTAwMDAifQ
[3] 16137
[root@localhost work]# {
  "kind": "PodList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/api/v1/namespaces/kube-system/pods",
    "resourceVersion": "3508922",
    "continue": "eyJ2IjoibWV0YS5rOHMuaW8vdjEiLCJydiI6MzUwODkyMiwic3RhcnQiOiJjYWxpY28ta3ViZS1jb250cm9sbGVycy03ODQ2NzQ3NmIteHNtYm5cdTAwMDAifQ",
    "remainingItemCount": 8
  },
  "items": [
    {
      "metadata": {
        "name": "calico-kube-controllers-78467476b-xsmbn",
        "generateName": "calico-kube-controllers-78467476b-",
        "namespace": "kube-system",
        "selfLink": "/api/v1/namespaces/kube-system/pods/calico-kube-controllers-78467476b-xsmbn",
        "uid": "2ac52e44-6cd9-4676-9777-d05512c0ebf4",
        "resourceVersion": "12770",
        "creationTimestamp": "2021-12-01T05:37:40Z",
        "labels": {

4.资源的类型

资源分类：Workloads，Discovery & LB ，Config & Storage，Cluster，Metadata
资源对象：Resource ObjectMeta，ResourceSpec，ResourceStatus
资源操作：create，update（replace&patch），read（get&list&watch），delete,rollback,read/write scale,read/write status

5.Workloads的操作

以pod为例，介绍workloads apis，以下为pod的yaml文件

[root@localhost work]# cat nginx.yaml 
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
    - name: client-container
      image: harbor.jettech.com/jettechtools/nginx:1.21.4

查看当前pods

[root@localhost work]# kubectl get pods
NAME    READY   STATUS    RESTARTS   AGE
nginx   1/1     Running   0          97s

5.1. 创建pod

POST /api/v1/namespaces/{namespace}/pods
查看当前pods

# kubectl -n test get pods
NAME       READY   STATUS             RESTARTS   AGE

使用api创建pod?

[root@localhost work]# kubectl create ns test
[root@localhost work]# curl --header "Authorization: Bearer $TOKEN" --insecure --request POST https://172.16.10.87:6443/api/v1/namespaces/test/pods -s -w "状态码是:%{http_code}\n" -o /dev/null -H 'Content-Type: application/yaml' --data 'apiVersion: v1
apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
    - name: client-container
      image: harbor.jettech.com/jettechtools/nginx:1.21.4'

5.2.删除pod

DELETE /api/v1/namespaces/{namespace}/pods/{name}
查看当前pods

[root@localhost work]# kubectl get pods -n test --show-labels
NAME    READY   STATUS    RESTARTS   AGE     LABELS
nginx   1/1     Running   0          2m59s   <none>

删除pod nginx

[root@localhost work]# curl  --header "Authorization: Bearer $TOKEN"  --insecure  --request DELETE https://172.16.10.87:6443/api/v1/namespaces/test/pods/nginx -o /dev/null  -s -w "状态码是:%{http_code}\n"


状态码是:200
{"type":"MODIFIED","object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx","namespace":"test","selfLink":"/api/v1/namespaces/test/pods/nginx","uid":"cf4292bf-b0f8-43ce-a233-3d0c2147cfef","resourceVersion":"3512941","creationTimestamp":"2021-12-17T02:21:03Z","deletionTimestamp":"2021-12-17T02:23:04Z","deletionGracePeriodSeconds":30,"annotations":{"cni.projectcalico.org/podIP":"10.42.212.190/32","cni.projectcalico.org/podIPs":"10.42.212.190/32"}},"spec":{"volumes":[{"name":"default-token-kwnbh","secret":{"secretName":"default-token-kwnbh","defaultMode":420}}],"containers":[{"name":"client-container","image":"harbor.jettech.com/jettechtools/nginx:1.21.4","resources":{},"volumeMounts":[{"name":"default-token-kwnbh","readOnly":true,"mountPath":"/var/run/secrets/kubernetes.io/serviceaccount"}],"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","imagePullPolicy":"IfNotPresent"}],"restartPolicy":"Always","terminationGracePeriodSeconds":30,"dnsPolicy":"ClusterFirst","serviceAccountName":"default","serviceAccount":"default","nodeName":"172.16.10.15","securityContext":{},"schedulerName":"default-scheduler","tolerations":[{"key":"node.kubernetes.io/not-ready","operator":"Exists","effect":"NoExecute","tolerationSeconds":300},{"key":"node.kubernetes.io/unreachable","operator":"Exists","effect":"NoExecute","tolerationSeconds":300}],"priority":0,"enableServiceLinks":true},"status":{"phase":"Running","conditions":[{"type":"Initialized","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-12-17T02:21:03Z"},{"type":"Ready","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-12-17T02:21:05Z"},{"type":"ContainersReady","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-12-17T02:21:05Z"},{"type":"PodScheduled","status":"True","lastProbeTime":null,"lastTransitionTime":"2021-12-17T02:21:03Z"}],"hostIP":"172.16.10.15","podIP":"10.42.212.190","podIPs":[{"ip":"10.42.212.190"}],"startTime":"2021-12-17T02:21:03Z","containerStatuses":[{"name":"client-container","state":{"running":{"startedAt":"2021-12-17T02:21:04Z"}},"lastState":{},"ready":true,"restartCount":0,"image":"harbor.jettech.com/jettechtools/nginx:1.21.4","imageID":"docker-pullable://harbor.jettech.com/jettechtools/nginx@sha256:4424e31f2c366108433ecca7890ad527b243361577180dfd9a5bb36e828abf47","containerID":"docker://f793a24a6eeb83d528781b00cb9a0246fe0cc2944be9341621390004dad306fd","started":true}],"qosClass":"BestEffort"}}}
{"type":"MODIFIED","object":{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx","namespace":"test","selfLink":"/api/v1/namespaces/test/pods/nginx","uid":"cf4292bf-b0f8-43ce-a233-3d0c2147cfef","resourceVersion":"3512941","creationTimestamp":"2021-12-17T02:21:03Z","deletionTimestamp":"2021-12-17T02:23:04Z","deletionGracePeriodSeconds":30,"annotations":{"cni.projectcalico.org/podIP":"10.42.212.190/32","cni.projectcalico.org/podIPs":"10.42.212.190/32"}},"spec":{"volumes":[{"name":"default-token-kwnbh","secret":{"secretName":"default-token-kwnbh","defaultMode":420}}],"containers":[{"name":"client-container","image":"harbor.jettech.com/jettechtools/nginx:1.21.4","resources":{},"v

查看?

[root@localhost work]# kubectl get pods -n test
NAME    READY   STATUS        RESTARTS   AGE
nginx   0/1     Terminating   0          95s

状态码
200 Ok
202 Accepted