1. Kubernetes API 호출
쿠버네티스 API 호출을 이용하여 클러스터를 컨트롤하는 방법을 설명합니다.
1.1 admin 클러스터 롤 확인
# kubectl -n kube-system get clusterrole | grep admin admin 2022-12-28T08:53:35Z cluster-admin 2022-12-28T08:53:35Z system:aggregate-to-admin 2022-12-28T08:53:35Z system:kubelet-api-admin 2022-12-28T08:53:35Z
1.2 서비스 어카운트(sa) 생성
# kubectl create sa admin-user -n kube-system
1.3 서비스 어카운트와 클러스터롤 바인딩
# kubectl create clusterrolebinding --clusterrole=cluster-admin admin-user --serviceaccount=kube-system:admin-user
1.4 admin-user에 대한 토큰 생성
# kubectl -n kube-system create token admin-user eyJhbGciOiJSUzI1NiIsImtpZCI6ImlVbmVfYWR4VE1kMlJneHBMZFBVcUlqUFBpNFBLcTFfQVgwNFBIUEhOU0kifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiXSwiZXhwIjoxNjc1MDU3MjM2LCJpYXQiOjE2NzUwNTM2MzYsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJhZG1pbi11c2VyIiwidWlkIjoiODNkYWI4MzYtNzgyNy00OWY0LWI1OGYtOTk5YzAwNWYwNTcxIn19LCJuYmYiOjE2NzUwNTM2MzYsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDprdWJlLXN5c3RlbTphZG1pbi11c2VyIn0.LdWBWVFX737--9ekdpe2I3sRTsRgz5jEvmYFUK_k_ZRopKIYDSoBXpiGXliTxzvsodtZF4H9ESQLjjYx9YYPOBEk-Pmw5BvPKMvcpx9futRIpz85U7_YNAeGphTJGJnHc4rIUILJ4cngJBjAhyi6XJ55bnT1EDYf3KSdPRtfnV0XmiJuEUb0qboCcaNdr9a3ltipitI6AcjYxqbzzPO4dHo6S4ay5aV6M26ZS_ZsAVI64_oLWX641B-skkZlrP4FoJluZvoHZHbKi_AkvnC2VCIoUCmpcR36uH8j-9ZMUMy9gGjQSxXy_NekXJzm5PSz9Qx5VczyP7Pt89XG3L5X1w
1.5 시크릿 생성
# cat secret.yml
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: admin-user-secret
namespace: kube-system
annotations:
kubernetes.io/service-account.name: "admin-user"
root@k8s-master01:~# kubectl apply -f secret.yml
secret/admin-user-secret created
root@k8s-master01:~# kubectl -n kube-system get secret
NAME TYPE DATA AGE
admin-user-secret kubernetes.io/service-account-token 3 5s
1.6 시크릿 확인
root@k8s-master01:~# kubectl -n kube-system get secrets -o yaml
apiVersion: v1
items:
- apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1USXlPREE0TlRNeU1Gb1hEVE15TVRJeU5UQTROVE15TUZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBUFVaCnI5MFgvVjErWVk0aXk4UXdwR0QxL0krckt4Q0dDbUxqVFM3T1RZblE4UTJ5ZXVNa3J5djN3bmg3d2J4NldMK0gKdDNKWm16c3NwdXZGMnM2ZjEza1FFaExUa1lnck5HT3RIRWgyZDF0R25XTTEwdjdaMUQyeldsNjJxeGRwQlh2UQpHTjhxbU9TUEtBcUIrOUhXSlFlYmxTUUN3NWtXWGZPbFVJM240dmNqWHphL20zeUhpSHgyQlgxdWlEZUJrZ1JrCkxkNzU1R1ZHNGpoWUFQcWswOHJVRU9jQ3ZtSEYzaVk4K0Evc1NWWUlJZmZMRTVQZUVSL2JWMzBUWG9LWkIxeFkKN0ppNjVITFJ6Y2tyTWVXeTBLazlFSjJRY09PcWNnQzl5NndBWkY0K2Q0RHhvRGJkQUZzdjRSc2NXRmdaKzc2UApHQ2dsRWFjOVJMNGk2RXIraDBFQ0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZOVVVNU0RRczJhTVVJc3BMTWJ1ZVl3MmdVc01NQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSjJKY290SjRUSnZ6VDVseHJJQQprVFRoNmFaM01XVzNUcEFVWWgydDI0U21WUmsyb3lFelZrSitVanJRcXU0Y1ZwZGVZNm5xemVHbHhMNi83V0NvCkE4Q01OdTZqWi9yc0ZMbnVReFJraGJIVFlKVmRGL0Y2ZHJOeFJDbGV3RnppdUxwdDduTFFPbndURVoycFA3OFkKYzZadGxPREtoNWlLM2pPNFgxU1VxUEQxcGcxL0pwWGNUZ09IKy9Gam83TDZEMkNRWXBCZEJGUFpzQ1AyTGtGcwpycGI0aHpkVHZ0YzF1QWhEeW4xSmZZQnFvTG43dzlXQ3F2d0JmVWIvYW9pcjdPZXJ2eWpBUExDbUZDVVpQWjZwCjlvcUJhRTFoZWduTm14TVE5VSthRUp0dGIzcTRhOXAzSzlsQVFCRE40MGVReUNXdGRDOUpqV0wrTm56QThBZ0oKYU1BPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
namespace: a3ViZS1zeXN0ZW0=
token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNkltbFZibVZmWVdSNFZFMWtNbEpuZUhCTVpGQlZjVWxxVUZCcE5GQkxjVEZmUVZnd05GQklVRWhPVTBraWZRLmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUpyZFdKbExYTjVjM1JsYlNJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZqY21WMExtNWhiV1VpT2lKaFpHMXBiaTExYzJWeUxYTmxZM0psZENJc0ltdDFZbVZ5Ym1WMFpYTXVhVzh2YzJWeWRtbGpaV0ZqWTI5MWJuUXZjMlZ5ZG1salpTMWhZMk52ZFc1MExtNWhiV1VpT2lKaFpHMXBiaTExYzJWeUlpd2lhM1ZpWlhKdVpYUmxjeTVwYnk5elpYSjJhV05sWVdOamIzVnVkQzl6WlhKMmFXTmxMV0ZqWTI5MWJuUXVkV2xrSWpvaU9ETmtZV0k0TXpZdE56Z3lOeTAwT1dZMExXSTFPR1l0T1RrNVl6QXdOV1l3TlRjeElpd2ljM1ZpSWpvaWMzbHpkR1Z0T25ObGNuWnBZMlZoWTJOdmRXNTBPbXQxWW1VdGMzbHpkR1Z0T21Ga2JXbHVMWFZ6WlhJaWZRLmFiVUxQRWNnTkZkR2Q1aXg5Mnd1TjRHN3NfZ0t3b20zTWVMYXA3d2wydUxKQVRDaTZtTmFBLTlGOTQ5bVFBVVJKSGJLbTJvZUFkWlBhYnE5MXFDdXh4NEVZNGI5ejhEZF9rTFZqZGxyRlZXaVJJVzBjcnZ3OWlvX05sakV0VWZoT1VBX2o0THJ6VlpkeDhfWmNpclVObTJ0Qmh4NGR4Smp1YUlNVzB5eXFBd2xYeG1lZWlnZnhfOGJOTU9mRlNaSk9ZNXpPSGxybDNSWWMyNTRWWjc1aTlxQXNZVVpEVkxJRFpoeUZRQnVVOGNwUFB1eWhzVV9UdXJmcmdpTzlpUlpEUmNTWjg4WEszSmdVRXF2MnVTTXdtVEI0NURDWGZHN1U0bHBBRDdkQ3IzMTFONlREZ1ZxOHBwcFFhbURTS1lGZGhBX3dxS0tyLWJiWE55dnh4Yk15QQ==
kind: Secret
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{"kubernetes.io/service-account.name":"admin-user"},"name":"admin-user-secret","namespace":"kube-system"},"type":"kubernetes.io/service-account-token"}
kubernetes.io/service-account.name: admin-user
kubernetes.io/service-account.uid: 83dab836-7827-49f4-b58f-999c005f0571
creationTimestamp: "2023-01-30T04:49:54Z"
name: admin-user-secret
namespace: kube-system
resourceVersion: "7004507"
uid: a25ebd8b-083e-4897-9860-fa3f25ac1ed9
type: kubernetes.io/service-account-token
kind: List
metadata:
resourceVersion: ""
# kubectl get secrets -n kube-system admin-user-secret -o jsonpath={.data.token} | base64 --decode
eyJhbGciOiJSUzI1NiIsImtpZCI6ImlVbmVfYWR4VE1kMlJneHBMZFBVcUlqUFBpNFBLcTFfQVgwNFBIUEhOU0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbi11c2VyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODNkYWI4MzYtNzgyNy00OWY0LWI1OGYtOTk5YzAwNWYwNTcxIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmFkbWluLXVzZXIifQ.abULPEcgNFdGd5ix92wuN4G7s_gKwom3MeLap7wl2uLJATCi6mNaA-9F949mQAURJHbKm2oeAdZPabq91qCuxx4EY4b9z8Dd_kLVjdlrFVWiRIW0crvw9io_NljEtUfhOUA_j4LrzVZdx8_ZcirUNm2tBhx4dxJjuaIMW0yyqAwlXxmeeigfx_8bNMOfFSZJOY5zOHlrl3RYc254VZ75i9qAsYUZDVLIDZhyFQBuU8cpPPuyhsU_TurfrgiO9iRZDRcSZ88XK3JgUEqv2uSMwmTB45DCXfG7U4lpAD7dCr311N6TDgVq8pppQamDSKYFdhA_wqKKr-bbXNyvxxbMyA
1.7 토큰 변수설정
export bearertoken=eyJhbGciOiJSUzI1NiIsImtpZCI6ImlVbmVfYWR4VE1kMlJneHBMZFBVcUlqUFBpNFBLcTFfQVgwNFBIUEhOU0kifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJhZG1pbi11c2VyLXNlY3JldCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50Lm5hbWUiOiJhZG1pbi11c2VyIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiODNkYWI4MzYtNzgyNy00OWY0LWI1OGYtOTk5YzAwNWYwNTcxIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omt1YmUtc3lzdGVtOmFkbWluLXVzZXIifQ.abULPEcgNFdGd5ix92wuN4G7s_gKwom3MeLap7wl2uLJATCi6mNaA-9F949mQAURJHbKm2oeAdZPabq91qCuxx4EY4b9z8Dd_kLVjdlrFVWiRIW0crvw9io_NljEtUfhOUA_j4LrzVZdx8_ZcirUNm2tBhx4dxJjuaIMW0yyqAwlXxmeeigfx_8bNMOfFSZJOY5zOHlrl3RYc254VZ75i9qAsYUZDVLIDZhyFQBuU8cpPPuyhsU_TurfrgiO9iRZDRcSZ88XK3JgUEqv2uSMwmTB45DCXfG7U4lpAD7dCr311N6TDgVq8pppQamDSKYFdhA_wqKKr-bbXNyvxxbMyA
1.8 예제
1.8.1 nginx 파드 생성
### 1. kubectl 명령어 사용
# kubectl run --image nginx nginx-pod --dry-run=client -o json | jq -c
{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-pod","creationTimestamp":null,"labels":{"run":"nginx-pod"}},"spec":{"containers":[{"name":"nginx-pod","image":"nginx","resources":{}}],"restartPolicy":"Always","dnsPolicy":"ClusterFirst"},"status":{}}
### 2. 일반적인 호출
# curl --cacert /etc/kubernetes/pki/ca.crt -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer $bearertoken" https://192.168.1.10:6443/api/v1/namespaces/default/pods --data '{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-pod","creationTimestamp":null,"labels":{"run":"nginx-pod"}},"spec":{"containers":[{"name":"nginx-pod","image":"nginx","resources":{}}],"restartPolicy":"Always","dnsPolicy":"ClusterFirst"},"status":{}}'
### curl 7.61.0 이상버전에서의 호출
# curl --cacert ca.crt --oauth2-bearer "$bearertoken" -X POST -H 'Content-Type: application/json' https://192.168.110.111:6443/api/v1/namespaces/default/pods --data '{"kind":"Pod","apiVersion":"v1","metadata":{"name":"nginx-pod","creationTimestamp":null,"labels":{"run":"nginx-pod"}},"spec":{"containers":[{"name":"nginx-pod","image":"nginx","resources":{}}],"restartPolicy":"Always","dnsPolicy":"ClusterFirst"},"status":{}}'
### 실습 CentOS 환경 기본 curl 전
[root@m-k8s pki]# curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu)
1.8.2 nginx 파드 생성2
a.json 파일 생성 후 json 내용 삽입
# kubectl run --image nginx nginx-pod --dry-run=client -o json
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "nginx-pod",
"creationTimestamp": null,
"labels": {
"run": "nginx-pod"
}
},
"spec": {
"containers": [
{
"name": "nginx-pod",
"image": "nginx",
"resources": {}
}
],
"restartPolicy": "Always",
"dnsPolicy": "ClusterFirst"
},
"status": {}
}
# curl --cacert ca.crt --oauth2-bearer "$bearertoken" -X POST -H 'Content-Type: application/json' https://192.168.110.111:6443/api/v1/namespaces/default/pods --data @a.json
1.8.3 nginx 파드 삭제
curl --cacert ca.crt --oauth2-bearer "$bearertoken" -X DELETE https://192.168.110.111:6443/api/v1/namespaces/default/pods/nginx-pod
1.8.4 deployment 생성
# kubectl create deployment nginx-deployment --image=nginx --dry-run=client -o json | jq -c .
{"kind":"Deployment","apiVersion":"apps/v1","metadata":{"name":"nginx-deployment","creationTimestamp":null,"labels":{"app":"nginx-deployment"}},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"nginx-deployment"}},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"nginx-deployment"}},"spec":{"containers":[{"name":"nginx","image":"nginx","resources":{}}]}},"strategy":{}},"status":{}}
# kubectl create deployment nginx-deployment --image=nginx --dry-run=client -o json
{
"kind": "Deployment",
"apiVersion": "apps/v1",
"metadata": {
"name": "nginx-deployment",
"creationTimestamp": null,
"labels": {
"app": "nginx-deployment"
}
},
"spec": {
"replicas": 1,
"selector": {
"matchLabels": {
"app": "nginx-deployment"
}
},
"template": {
"metadata": {
"creationTimestamp": null,
"labels": {
"app": "nginx-deployment"
}
},
"spec": {
"containers": [
{
"name": "nginx",
"image": "nginx",
"resources": {}
}
]
}
},
"strategy": {}
},
"status": {}
}
curl --cacert ca.crt --oauth2-bearer "$bearertoken" -X POST -H 'Content-Type: application/json' https://192.168.110.111:6443/apis/apps/v1/namespaces/default/deployments --data '{"kind":"Deployment","apiVersion":"apps/v1","metadata":{"name":"nginx-deployment","creationTimestamp":null,"labels":{"app":"nginx-deployment"}},"spec":{"replicas":1,"selector":{"matchLabels":{"app":"nginx-deployment"}},"template":{"metadata":{"creationTimestamp":null,"labels":{"app":"nginx-deployment"}},"spec":{"containers":[{"name":"nginx","image":"nginx","resources":{}}]}},"strategy":{}},"status":{}}'
1.8.5 deployment 삭제
curl --cacert ca.crt --oauth2-bearer "$bearertoken" -X DELETE https://192.168.110.111:6443/apis/apps/v1/namespaces/default/deployments/nginx-deployment
참고 사이트) https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/