Invoke Kubernetes APIs via simple HTTP client, Invoke k8s API programmatically.

In this post i would like to explain how we can invoke k8s API and receive k8s cluster information. When we develop applications, programs sometimes we will need to invoke k8s APIs to perform some complex deployment tasks and in this post we will see how we can do that step by step. 


In my setup i have used Rancher desktop and k8s 1.24.3 version. Below instructions can slightly change in other versions.


First we need to create k8s user account. So for the creation of our user account, we will create service account, cluster role and cluster role binding. Please create below .yaml files for each of these resources and apply them into k8s cluster using 


ServiceAccount.yaml

apiVersion: v1

kind: ServiceAccount

metadata:

 name: apk-platform

 namespace: default

 


ClusterRole.yaml

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRole

metadata:

 # "namespace" omitted since ClusterRoles are not namespaced

 name: apk-role

rules:

 - apiGroups: ["*"]

   resources: ["*"]

   verbs: ["*"]

 


ClusterRoleBinding.yaml

apiVersion: rbac.authorization.k8s.io/v1

# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.

kind: ClusterRoleBinding

metadata:

 name: role-binding

roleRef:

 kind: ClusterRole

 name: apk-role

 apiGroup: rbac.authorization.k8s.io

subjects:

 # You can specify more than one "subject"

 - kind: ServiceAccount

   name: apk-platform # "name" is case sensitive

   namespace: default



Apply below 3 commands

kubectl apply -f ServiceAccount.yaml
kubectl apply -f ClusterRole.yml
kubectl apply -f ClusterRoleBinding.yaml


Set below varaible as we are going to use them in next steps

>>SERVICE_ACCOUNT=apk-platform
>>APISERVER=https://$(kubectl -n default get endpoints kubernetes --no-headers | awk '{ print $2 }')


Now we have successfullycreate service account and cluster role binding. Next we will need to get token and certificate to invoke API


To get token execute following command with provided yaml file.


Token.yaml

apiVersion: v1

kind: Secret

metadata:

  name: apk-platform-token

  annotations:

    kubernetes.io/service-account.name: apk-platform

type: kubernetes.io/service-account-token

Execute following
kubectl apply -f ClusterRoleBinding.yaml


Now you can see generated token , cert etc using below command


>>kubectl get secret "apk-platform-token" -o json

{

    "apiVersion": "v1",

    "data": {

        "ca.crt": "XXX",

        "namespace": "ZGVmYXVsdA==",

        "token": "XXXX"

    },

    "kind": "Secret",

    "metadata": {

        "annotations": {

            "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Secret\",\"metadata\":{\"annotations\":{\"kubernetes.io/service-account.name\":\"apk-platform\"},\"name\":\"apk-platform-token\",\"namespace\":\"default\"},\"type\":\"kubernetes.io/service-account-token\"}\n",

            "kubernetes.io/service-account.name": "apk-platform",

            "kubernetes.io/service-account.uid": "e546dfae-7420-425f-881e-fcdcbe7ace9f"

        },

        "creationTimestamp": "2022-11-09T08:07:51Z",

        "name": "apk-platform-token",

        "namespace": "default",

        "resourceVersion": "43505",

        "uid": "d2d4f3ae-aee6-4784-8a5f-fa7d1e874bfb"

    },

    "type": "kubernetes.io/service-account-token"

}


Now lets extract token and certificate using below commands



Extract token data into varaible
>>TOKEN=$(kubectl get secrets apk-platform-token -o json | jq -Mr '.data.token' | base64 -d)


Extract certificate information to file

>>kubectl get secret "apk-platform-token" -o json | jq -Mr '.data["ca.crt"]' | base64 -d > /tmp/ca.crt


Now we have all required information to invoke k8s API. Lets execute curl command using token and certificate we obtained as follows.


curl -s $APISERVER/openapi/v2 --header "Authorization: Bearer $TOKEN" --cacert /tmp/ca.crt | less


Empowering the Future of API Management: Unveiling the Journey of WSO2 API Platform for Kubernetes (APK) Project and the Anticipated Alpha Release

  Introduction In the ever-evolving realm of API management, our journey embarked on the APK project eight months ago, and now, with great a...