TLS Access 설정 (인증서 기반의 클러스터 API)
api를 통해 직접 호출 할수 있도록 3가지 key를 필요로 한다.
~/.kube/config 경로 안에 있는 아래 3가지 키를 base64로 encording 한 후 각각의 파일로 저장 하여 사용한다.
- certificate-authority-data
- client-certificate-data
- client-key-data
~/.kube/config 안에 정보를 확인
ps0107@k8smaster1:~$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ERXlPREE0TWprd09Wb1hEVE13TURFeU5UQTRNamt3T1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTk9XCjZMdDkweTMvZDU2VEdIZFFWR25hZGtScXhPUERPYmplOVpUTkVIU3JWZUU3NWpPQ1A0RWdaTFVxcjBBWm5mSTIKQ0hSU3ZGdkdUT2Qza0o0bnRMS0RrT21VaWV4N2s0ZnRJM0lNc0RraDM4OTMzaGxMRDBBTzZzR3cvUnZpaVJ2Swo1N0RLVjRBaXFTTkRabXlpRFJHRFAvc3o1NllzTEdhQXJTUzVwcFYrQ2NKanhHeXV2UXNKZmZEekJsZ2FCakRoCmlWcDhrdTBNVUpFRktLbDNTNnhLZXRZRTRwZVpNcmlGZUpBb0pVZTZscmpYRWplVVN1a29FdmxmbGJIMGhWL3IKWk1ydkwwaGRKeWdIQjVnZWJnVHVCWDhIWkR4dDBFT1M5ZnBYNWxjYXRJR1g5NGVQdW9PcENYWDF1RVg4alpwYQpzZkpHSkRzdS9pTi9vMWZYcXU4Q0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDa01VR0pPM2xycEppL2RKdmhZSkdwK29sMHQKQ3lUSVhrK2oyMDFhbmZKYkFiVllENStvb2FxUnRzNWFaa01RZ2loWjUyNGw2bGZ6N3NUNEE0M3VZL3lITmllRgpwb2RvdFFMWXlyRmRCcUoyaFhpcVFOQjRjNHloUXFkMG0rSTNwazJIMDNTOG85MWZ1VUJ3NWZSbDUxRUtIT3I1Ci84cldqdW55KzBRY1IvaEVLZlA5alV0NVZsbm4zMVJPMkhVeFUyTmlQTCtJK0dtWCtod3hzRFkyUk9TZ2xuWUsKcjNkaGU2RXpHQTZBcTJqMmtENTJteWFmNXNRY0NjeXg1cDlSNGdXcWxFTFU1VFZONldTWnVCT3AxQld6azI3NgpURFFRL0hVeHBGSTdZSEtTeVkza0xCb2JoSzViM0syS1RqQk45aEduMisxaHNETFM1R1ZRbkVQMlVTUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
server: https://k8smaster:6443
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: kubernetes-admin
name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
user:
client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJVUpXVjZQeWhwSnd3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURBeE1qZ3dPREk1TURsYUZ3MHlNVEF4TWpjd09ESTVNVEZhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnRVhPY0JvZ1p2cGtlMysKVTdMcXBWVEVJMmc0Y241Wm5pNEhzVkYwdk9IQm9VTHlEZ1FBakYreDZNbEpYVlRGVWpxOXZkQm5pZFE3clJUWgoxL1g4a1BnSmVMbm8wNTgra213aHM3Y0F1T0pHQnlIamQ1TTVRaVFvM01ydGNQVlpVOHd3a3ZFT0dSa3JuOWlYCkNQeCt6WHhoNXNPRW9BRGR4TFJ1bVp1aGZoQXBFYlhSRVRHbTdCdnh4d2pneHBsdmoxR3gwTDBydlZLZTl6V0YKbGxCbTZpTW42NWlHMjVpVmZOcTVubDNRNCtMejFsejNENkRwamtaT2VEalJEcDZyOVYycVJzb2JocStOQjVFZQpRZXFMRUNqaWZ6aGwvRUZ0bmh1QmVTTXdyeHM2U1BzV2RyaHE5ZndHKzBDK2VjQmNvQ2xYV0xtcGp4cVF2dHJFCnlSckdGd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFNcWQ3UWJ1MXpYQSsvZGRpWWYwQlI1cjdjMjUvalhGc25PVAp3RFBQT0ZrZ0tObDdsQy9xNndNdmNlUS9lRDl3Ti9ENUYwWlpHZDRSSWV0WklILzJSNklUNSs3V3RLK0dFRFp3CjFZL3p2MkVYeFZ1Y0ErNjZ6RzdtR3p1SnBJSkZwdjM0UlducEdSQ1lGMk52WDYwL2o4QTRiTnhsMXo1YWZDaDcKS0psd2RYYTdnK01qZXV6QmkzQmpOYnI4Mnh3bjNmVHJqWlBxYThqaGF0cWtPaHIwQkRnNUFzQTk4dEpnSDFmTgorU0prUkZ4OUREY0JXdDZGMDNYdW84TTk4L1RFcFc2cExzZWM0YjkyT0ZsUGg5Z2NlVXk0T3BnQnNYTElySDZoCkJCNTVyRmtLYWJ6ekhGYUV4RGxwSzZZczJnMDZZbmppVnBjU3N0WmludXBoV0s5S243RT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBemdFWE9jQm9nWnZwa2UzK1U3THFwVlRFSTJnNGNuNVpuaTRIc1ZGMHZPSEJvVUx5CkRnUUFqRit4Nk1sSlhWVEZVanE5dmRCbmlkUTdyUlRaMS9YOGtQZ0plTG5vMDU4K2ttd2hzN2NBdU9KR0J5SGoKZDVNNVFpUW8zTXJ0Y1BWWlU4d3drdkVPR1Jrcm45aVhDUHgrelh4aDVzT0VvQURkeExSdW1adWhmaEFwRWJYUgpFVEdtN0J2eHh3amd4cGx2ajFHeDBMMHJ2VktlOXpXRmxsQm02aU1uNjVpRzI1aVZmTnE1bmwzUTQrTHoxbHozCkQ2RHBqa1pPZURqUkRwNnI5VjJxUnNvYmhxK05CNUVlUWVxTEVDamlmemhsL0VGdG5odUJlU013cnhzNlNQc1cKZHJocTlmd0crMEMrZWNCY29DbFhXTG1wanhxUXZ0ckV5UnJHRndJREFRQUJBb0lCQVFDSitmTUxiRkxTMUpHcApleVVIL0dMckg0NUxSTWZoNzd5b2xKMzBadUZ3alNpNmtQTTg3Zk5NRWVCQVVXbEJDTUVzNVVrbXRFcFU1NENjCjJjVmF2MWhONU1PN1I1R3BCQlROejN6M09OQlVCTUh3andNaW1Nb1dBZEFZcWhaRXZSLzZYMTM5WFZVYS9GL2EKclIva0ZmSDhRWjMxQ09sd25ZUHI5d25JK3BNOHNmTGdqemFjYTNCdTNWMkx1Z29XcURQTFZiMjRiT0RLK3RVZwo4Q0ErSjhPemRreHgvNThxT2h3bWVNT0wydkdXbGVhVkkrVHBMUjhObEFRQXdkR04xVTNrcGRtZElhS0d2SG0zCmt4OUpQNExyeDI2emMxSTVROEZ1VGNkQlc4QzVoaHZLVC9tMDZ6WGFwWDhFN0ZVYWxOWkdFOWFHd1h1K1dpc2oKNDlSQ0pwb1JBb0dCQU01eGhDUGMvNkFqK091a0xORmVCVU1VTEc4VU54MkF5a3pVRFlUWkNUd1FJQ01YamxQRAo4YStSMmJHRit1N0d4b3c5K091WnFzcjVyK0tIN3BVQkZlVWUyenZvM0FRQzFPb2YrRjBZK2hzMm5tNmdFTVN1CmF2b0NZVW10R2dCVE16QWs0d2tEUWIzNldWUFFNT2ZNaGRNMjdpc2s3TFp5Znl1bzkwRnlobzlmQW9HQkFQOTAKbGtBSTh6b3dvYmZWZUZhVVV0ei9nSDNzNkxwRnhkSFlHZnRCYS9JSXNwKzRwV1dJL0V1YjRXUnk0c3ZOaDNPdAozSitGRnZWclVicFB6Q2VKbm0xVHY5N3FOVVRQa1B4blhnVXdiMFEvVHhRODFIRmoweWlDRGFTVGw4RUx3ejQ1Cm1xYVB6dDA5RTFOVHJpNFBQTWh3WmV5Y2k0Y3drS0c3c0kwaFlweEpBb0dCQUtPVEhuaXNLMy9nQU9QMWVlMksKNmZCMGs2Q1FDL3U4aUk3SGxzNmtpY1Nsb2xFcjRRSk9SN290ZnFoQzJNbEpoeGlvSWd2TC9xQkZweTkvTlhPcgpJSVlqSk9NYlp2bG1wUDI5eHpVOURTOXkzNllYL2pGWllqb21tSitnSVBJUStvWXpOQkY0R3lkRXJuTFNpMjJmCmlJb0xCRHY3VGZSaVZKRnJtRDZyV0NOUkFvR0FZUUN1aFVaZ3hmbnRqdGNheVJXdG1ZblVDdjFKS21LUVNhemIKd05NSTRIRjVFcm1VNU1kdHRuQk0yRTNmM1RBQWZXYkozakUxbEovWit2dU9OSDFIa1pBNXpiWDE0RmxKWHU4Sgpmc0x6bldERThKUmd2MlgrcXVVbnRSVHVqVG1nUENLM25RUUNzM1Fid0lxSUc2bGhsV05JOE41SkJWN2xyT1NPCm1DalRQekVDZ1lFQXRkMXprbzJUQWwwK05zZEliNkZKV2huV2tVM3hSdmdJZGRxcDYydUZXOXl0VDB3VUFpRGYKdmNYRkhDcFNTNnRDZDU0WHVoUzNPeGVuak5Ga0c3MzRtTEh3Z2JMWUl4Q2c1YVBBcFlMMG9QL2lZUFJBNTBROApUWEM2L1JLYWd2TURLZkphS293WVR4aS85TTJ1QUxYNVdia2xvZnlCQzVjQXBhb1Ribll0czE0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
client-cert를 추출
ps0107@k8smaster1:~$ export client=$(grep client-cert ~/.kube/config | cut -d " " -f 6)
ps0107@k8smaster1:~$ echo $client
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJVUpXVjZQeWhwSnd3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURBeE1qZ3dPREk1TURsYUZ3MHlNVEF4TWpjd09ESTVNVEZhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnRVhPY0JvZ1p2cGtlMysKVTdMcXBWVEVJMmc0Y241Wm5pNEhzVkYwdk9IQm9VTHlEZ1FBakYreDZNbEpYVlRGVWpxOXZkQm5pZFE3clJUWgoxL1g4a1BnSmVMbm8wNTgra213aHM3Y0F1T0pHQnlIamQ1TTVRaVFvM01ydGNQVlpVOHd3a3ZFT0dSa3JuOWlYCkNQeCt6WHhoNXNPRW9BRGR4TFJ1bVp1aGZoQXBFYlhSRVRHbTdCdnh4d2pneHBsdmoxR3gwTDBydlZLZTl6V0YKbGxCbTZpTW42NWlHMjVpVmZOcTVubDNRNCtMejFsejNENkRwamtaT2VEalJEcDZyOVYycVJzb2JocStOQjVFZQpRZXFMRUNqaWZ6aGwvRUZ0bmh1QmVTTXdyeHM2U1BzV2RyaHE5ZndHKzBDK2VjQmNvQ2xYV0xtcGp4cVF2dHJFCnlSckdGd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFNcWQ3UWJ1MXpYQSsvZGRpWWYwQlI1cjdjMjUvalhGc25PVAp3RFBQT0ZrZ0tObDdsQy9xNndNdmNlUS9lRDl3Ti9ENUYwWlpHZDRSSWV0WklILzJSNklUNSs3V3RLK0dFRFp3CjFZL3p2MkVYeFZ1Y0ErNjZ6RzdtR3p1SnBJSkZwdjM0UlducEdSQ1lGMk52WDYwL2o4QTRiTnhsMXo1YWZDaDcKS0psd2RYYTdnK01qZXV6QmkzQmpOYnI4Mnh3bjNmVHJqWlBxYThqaGF0cWtPaHIwQkRnNUFzQTk4dEpnSDFmTgorU0prUkZ4OUREY0JXdDZGMDNYdW84TTk4L1RFcFc2cExzZWM0YjkyT0ZsUGg5Z2NlVXk0T3BnQnNYTElySDZoCkJCNTVyRmtLYWJ6ekhGYUV4RGxwSzZZczJnMDZZbmppVnBjU3N0WmludXBoV0s5S243RT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
client-key-data를 추출
ps0107@k8smaster1:~$ export key=$(grep client-key-data ~/.kube/config | cut -d " " -f 6)
ps0107@k8smaster1:~$ echo $key
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBemdFWE9jQm9nWnZwa2UzK1U3THFwVlRFSTJnNGNuNVpuaTRIc1ZGMHZPSEJvVUx5CkRnUUFqRit4Nk1sSlhWVEZVanE5dmRCbmlkUTdyUlRaMS9YOGtQZ0plTG5vMDU4K2ttd2hzN2NBdU9KR0J5SGoKZDVNNVFpUW8zTXJ0Y1BWWlU4d3drdkVPR1Jrcm45aVhDUHgrelh4aDVzT0VvQURkeExSdW1adWhmaEFwRWJYUgpFVEdtN0J2eHh3amd4cGx2ajFHeDBMMHJ2VktlOXpXRmxsQm02aU1uNjVpRzI1aVZmTnE1bmwzUTQrTHoxbHozCkQ2RHBqa1pPZURqUkRwNnI5VjJxUnNvYmhxK05CNUVlUWVxTEVDamlmemhsL0VGdG5odUJlU013cnhzNlNQc1cKZHJocTlmd0crMEMrZWNCY29DbFhXTG1wanhxUXZ0ckV5UnJHRndJREFRQUJBb0lCQVFDSitmTUxiRkxTMUpHcApleVVIL0dMckg0NUxSTWZoNzd5b2xKMzBadUZ3alNpNmtQTTg3Zk5NRWVCQVVXbEJDTUVzNVVrbXRFcFU1NENjCjJjVmF2MWhONU1PN1I1R3BCQlROejN6M09OQlVCTUh3andNaW1Nb1dBZEFZcWhaRXZSLzZYMTM5WFZVYS9GL2EKclIva0ZmSDhRWjMxQ09sd25ZUHI5d25JK3BNOHNmTGdqemFjYTNCdTNWMkx1Z29XcURQTFZiMjRiT0RLK3RVZwo4Q0ErSjhPemRreHgvNThxT2h3bWVNT0wydkdXbGVhVkkrVHBMUjhObEFRQXdkR04xVTNrcGRtZElhS0d2SG0zCmt4OUpQNExyeDI2emMxSTVROEZ1VGNkQlc4QzVoaHZLVC9tMDZ6WGFwWDhFN0ZVYWxOWkdFOWFHd1h1K1dpc2oKNDlSQ0pwb1JBb0dCQU01eGhDUGMvNkFqK091a0xORmVCVU1VTEc4VU54MkF5a3pVRFlUWkNUd1FJQ01YamxQRAo4YStSMmJHRit1N0d4b3c5K091WnFzcjVyK0tIN3BVQkZlVWUyenZvM0FRQzFPb2YrRjBZK2hzMm5tNmdFTVN1CmF2b0NZVW10R2dCVE16QWs0d2tEUWIzNldWUFFNT2ZNaGRNMjdpc2s3TFp5Znl1bzkwRnlobzlmQW9HQkFQOTAKbGtBSTh6b3dvYmZWZUZhVVV0ei9nSDNzNkxwRnhkSFlHZnRCYS9JSXNwKzRwV1dJL0V1YjRXUnk0c3ZOaDNPdAozSitGRnZWclVicFB6Q2VKbm0xVHY5N3FOVVRQa1B4blhnVXdiMFEvVHhRODFIRmoweWlDRGFTVGw4RUx3ejQ1Cm1xYVB6dDA5RTFOVHJpNFBQTWh3WmV5Y2k0Y3drS0c3c0kwaFlweEpBb0dCQUtPVEhuaXNLMy9nQU9QMWVlMksKNmZCMGs2Q1FDL3U4aUk3SGxzNmtpY1Nsb2xFcjRRSk9SN290ZnFoQzJNbEpoeGlvSWd2TC9xQkZweTkvTlhPcgpJSVlqSk9NYlp2bG1wUDI5eHpVOURTOXkzNllYL2pGWllqb21tSitnSVBJUStvWXpOQkY0R3lkRXJuTFNpMjJmCmlJb0xCRHY3VGZSaVZKRnJtRDZyV0NOUkFvR0FZUUN1aFVaZ3hmbnRqdGNheVJXdG1ZblVDdjFKS21LUVNhemIKd05NSTRIRjVFcm1VNU1kdHRuQk0yRTNmM1RBQWZXYkozakUxbEovWit2dU9OSDFIa1pBNXpiWDE0RmxKWHU4Sgpmc0x6bldERThKUmd2MlgrcXVVbnRSVHVqVG1nUENLM25RUUNzM1Fid0lxSUc2bGhsV05JOE41SkJWN2xyT1NPCm1DalRQekVDZ1lFQXRkMXprbzJUQWwwK05zZEliNkZKV2huV2tVM3hSdmdJZGRxcDYydUZXOXl0VDB3VUFpRGYKdmNYRkhDcFNTNnRDZDU0WHVoUzNPeGVuak5Ga0c3MzRtTEh3Z2JMWUl4Q2c1YVBBcFlMMG9QL2lZUFJBNTBROApUWEM2L1JLYWd2TURLZkphS293WVR4aS85TTJ1QUxYNVdia2xvZnlCQzVjQXBhb1Ribll0czE0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
certificate-authority-data 를 추출
ps0107@k8smaster1:~$ export auth=$(grep certificate-authority-data ~/.kube/config | cut -d " " -f 6)
ps0107@k8smaster1:~$ echo $auth
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ERXlPREE0TWprd09Wb1hEVE13TURFeU5UQTRNamt3T1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTk9XCjZMdDkweTMvZDU2VEdIZFFWR25hZGtScXhPUERPYmplOVpUTkVIU3JWZUU3NWpPQ1A0RWdaTFVxcjBBWm5mSTIKQ0hSU3ZGdkdUT2Qza0o0bnRMS0RrT21VaWV4N2s0ZnRJM0lNc0RraDM4OTMzaGxMRDBBTzZzR3cvUnZpaVJ2Swo1N0RLVjRBaXFTTkRabXlpRFJHRFAvc3o1NllzTEdhQXJTUzVwcFYrQ2NKanhHeXV2UXNKZmZEekJsZ2FCakRoCmlWcDhrdTBNVUpFRktLbDNTNnhLZXRZRTRwZVpNcmlGZUpBb0pVZTZscmpYRWplVVN1a29FdmxmbGJIMGhWL3IKWk1ydkwwaGRKeWdIQjVnZWJnVHVCWDhIWkR4dDBFT1M5ZnBYNWxjYXRJR1g5NGVQdW9PcENYWDF1RVg4alpwYQpzZkpHSkRzdS9pTi9vMWZYcXU4Q0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDa01VR0pPM2xycEppL2RKdmhZSkdwK29sMHQKQ3lUSVhrK2oyMDFhbmZKYkFiVllENStvb2FxUnRzNWFaa01RZ2loWjUyNGw2bGZ6N3NUNEE0M3VZL3lITmllRgpwb2RvdFFMWXlyRmRCcUoyaFhpcVFOQjRjNHloUXFkMG0rSTNwazJIMDNTOG85MWZ1VUJ3NWZSbDUxRUtIT3I1Ci84cldqdW55KzBRY1IvaEVLZlA5alV0NVZsbm4zMVJPMkhVeFUyTmlQTCtJK0dtWCtod3hzRFkyUk9TZ2xuWUsKcjNkaGU2RXpHQTZBcTJqMmtENTJteWFmNXNRY0NjeXg1cDlSNGdXcWxFTFU1VFZONldTWnVCT3AxQld6azI3NgpURFFRL0hVeHBGSTdZSEtTeVkza0xCb2JoSzViM0syS1RqQk45aEduMisxaHNETFM1R1ZRbkVQMlVTUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
각 key정보를 base64로 인코딩하여 파일로 저장
ps0107@k8smaster1:~$ echo $client | base64 -d - > ./client.pem
ps0107@k8smaster1:~$ echo $key | base64 -d - > ./client-key.pem
ps0107@k8smaster1:~$ echo $auth | base64 -d - > ./ca.pem
저장된 인증서 정보를 이용하여 api 호출을 할 수 있다.
api server 정보를 확인
ps0107@k8smaster1:~$ kubectl config view | grep server
server: https://k8smaster:6443
key를 이용하여 /api/v1/pods 에 대한 api를 호출해본다.
ps0107@k8smaster1:~$ curl --cert ./client.pem --key ./client-key.pem --cacert ./ca.pem https://k8smaster:6443/api/v1/pods
{
"kind": "PodList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/pods",
"resourceVersion": "296347"
},
......
curl 로 api를 호출하여 pod를 생성해 본다
ps0107@k8smaster1:~$ vi curlpod.json
ps0107@k8smaster1:~$ cat curlpod.json
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "curlpod",
"namespace": "default",
"labels": {
"name": "examplepod"
}
},
"spec": {
"containers": [{
"name": "nginx",
"image": "nginx",
"ports": [{"containerPort": 80}]
}]
}
}
ps0107@k8smaster1:~$ curl --cert ./client.pem --key ./client-key.pem --cacert ./ca.pem \
https://k8smaster:6443/api/v1/namespaces/default/pods -XPOST -H'Content-Type: application/json' -d@curlpod.json
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "curlpod",
"namespace": "default",
"selfLink": "/api/v1/namespaces/default/pods/curlpod",
"uid": "d50e5569-88c3-4e0c-9259-85dd07446013",
"resourceVersion": "296389",
"creationTimestamp": "2020-01-30T21:38:35Z",
"labels": {
"name": "examplepod"
}
},
"spec": {
"volumes": [
{
"name": "default-token-76w5h",
"secret": {
"secretName": "default-token-76w5h",
"defaultMode": 420
}
}
],
"containers": [
{
"name": "nginx",
"image": "nginx",
"ports": [
{
"containerPort": 80,
"protocol": "TCP"
}
],
"resources": {
},
"volumeMounts": [
{
"name": "default-token-76w5h",
"readOnly": true,
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
}
],
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"imagePullPolicy": "Always"
}
],
"restartPolicy": "Always",
"terminationGracePeriodSeconds": 30,
"dnsPolicy": "ClusterFirst",
"serviceAccountName": "default",
"serviceAccount": "default",
"securityContext": {
},
"schedulerName": "default-scheduler",
"tolerations": [
{
"key": "node.kubernetes.io/not-ready",
"operator": "Exists",
"effect": "NoExecute",
"tolerationSeconds": 300
},
{
"key": "node.kubernetes.io/unreachable",
"operator": "Exists",
"effect": "NoExecute",
"tolerationSeconds": 300
}
],
"priority": 0,
"enableServiceLinks": true
},
"status": {
"phase": "Pending",
"qosClass": "BestEffort"
}
}
생성된 pod를 확인해본다
ps0107@k8smaster1:~$ kubectl get pods
NAME READY STATUS RESTARTS AGE
curlpod 1/1 Running 0 6s
Explore API Calls (로컬에 캐싱됨 => 확인)
kubectl get endpoints 명령을 내리면 어떤 것을 참조 하는지 알아본다.
ps0107@k8smaster1:~$ kubectl get endpoints
NAME ENDPOINTS AGE
kubernetes 10.146.0.2:6443 2d13h
openat 부분에 보면 캐싱을 참조하는 것을 확인할 수 있다.
ps0107@k8smaster1:~$ strace kubectl get endpoints
execve("/usr/bin/kubectl", ["kubectl", "get", "endpoints"], [/* 25 vars */]) = 0
arch_prctl(ARCH_SET_FS, 0x2d082d0) = 0
.....
openat(AT_FDCWD, "/home/ps0107/.kube/cache/discovery/k8smaster_6443/authorization.k8s.io/v1/serverresources.json", O_RDONLY|O_CLOEXEC) = 5
epoll_ctl(4, EPOLL_CTL_ADD, 5, {EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, {u32=1026301704, u64=139918175903496}}) = -1 EPERM (Operation not permitted)
epoll_ctl(4, EPOLL_CTL_DEL, 5, 0xc00076cb7c) = -1 EPERM (Operation not permitted)
.....
해당 캐싱된 파일의 경로를 가보자
ps0107@k8smaster1:~$ cd /home/ps0107/.kube/cache/discovery/
ps0107@k8smaster1:~/.kube/cache/discovery$ cd k8smaster_6443/
여러가지가 캐싱된 것을 확인할 수 있다.
ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ ls
admissionregistration.k8s.io authentication.k8s.io certificates.k8s.io extensions rbac.authorization.k8s.io v1
apiextensions.k8s.io authorization.k8s.io coordination.k8s.io networking.k8s.io scheduling.k8s.io
apiregistration.k8s.io autoscaling crd.projectcalico.org node.k8s.io servergroups.json
apps batch events.k8s.io policy storage.k8s.io
ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ find .
.
./apiextensions.k8s.io
./apiextensions.k8s.io/v1beta1
./apiextensions.k8s.io/v1beta1/serverresources.json
./apps
./apps/v1beta2
./apps/v1beta2/serverresources.json
./apps/v1
./apps/v1/serverresources.json
./apps/v1beta1
./apps/v1beta1/serverresources.json
./policy
./policy/v1beta1
./policy/v1beta1/serverresources.json
./storage.k8s.io
./storage.k8s.io/v1
./storage.k8s.io/v1/serverresources.json
./storage.k8s.io/v1beta1
./storage.k8s.io/v1beta1/serverresources.json
./batch
./batch/v1
./batch/v1/serverresources.json
./batch/v1beta1
./batch/v1beta1/serverresources.json
./events.k8s.io
./events.k8s.io/v1beta1
./events.k8s.io/v1beta1/serverresources.json
./coordination.k8s.io
./coordination.k8s.io/v1
./coordination.k8s.io/v1/serverresources.json
./coordination.k8s.io/v1beta1
./coordination.k8s.io/v1beta1/serverresources.json
./scheduling.k8s.io
./scheduling.k8s.io/v1
./scheduling.k8s.io/v1/serverresources.json
./scheduling.k8s.io/v1beta1
./scheduling.k8s.io/v1beta1/serverresources.json
./certificates.k8s.io
./certificates.k8s.io/v1beta1
./certificates.k8s.io/v1beta1/serverresources.json
./authentication.k8s.io
./authentication.k8s.io/v1
./authentication.k8s.io/v1/serverresources.json
./authentication.k8s.io/v1beta1
./authentication.k8s.io/v1beta1/serverresources.json
./v1
./v1/serverresources.json
./admissionregistration.k8s.io
./admissionregistration.k8s.io/v1beta1
./admissionregistration.k8s.io/v1beta1/serverresources.json
./servergroups.json
./authorization.k8s.io
./authorization.k8s.io/v1
./authorization.k8s.io/v1/serverresources.json
./authorization.k8s.io/v1beta1
./authorization.k8s.io/v1beta1/serverresources.json
./networking.k8s.io
./networking.k8s.io/v1
./networking.k8s.io/v1/serverresources.json
./networking.k8s.io/v1beta1
./networking.k8s.io/v1beta1/serverresources.json
./node.k8s.io
./node.k8s.io/v1beta1
./node.k8s.io/v1beta1/serverresources.json
./rbac.authorization.k8s.io
./rbac.authorization.k8s.io/v1
./rbac.authorization.k8s.io/v1/serverresources.json
./rbac.authorization.k8s.io/v1beta1
./rbac.authorization.k8s.io/v1beta1/serverresources.json
./apiregistration.k8s.io
./apiregistration.k8s.io/v1
./apiregistration.k8s.io/v1/serverresources.json
./apiregistration.k8s.io/v1beta1
./apiregistration.k8s.io/v1beta1/serverresources.json
./crd.projectcalico.org
./crd.projectcalico.org/v1
./crd.projectcalico.org/v1/serverresources.json
./extensions
./extensions/v1beta1
./extensions/v1beta1/serverresources.json
./autoscaling
./autoscaling/v1
./autoscaling/v1/serverresources.json
./autoscaling/v2beta2
./autoscaling/v2beta2/serverresources.json
./autoscaling/v2beta1
./autoscaling/v2beta1/serverresources.json
ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ python -m json.tool v1/serverresources.json
{
"apiVersion": "v1",
"groupVersion": "v1",
"kind": "APIResourceList",
"resources": [
{
"kind": "Binding",
"name": "bindings",
"namespaced": true,
"singularName": "",
"verbs": [
"create"
]
},
{
"kind": "ComponentStatus",
"name": "componentstatuses",
"namespaced": false,
"shortNames": [
"cs"
],
"singularName": "",
"verbs": [
"get",
"list"
]
},
{
"kind": "ConfigMap",
"name": "configmaps",
"namespaced": true,
"shortNames": [
"cm"
],
"singularName": "",
"storageVersionHash": "qFsyl6wFWjQ=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"kind": "Endpoints",
"name": "endpoints",
"namespaced": true,
"shortNames": [
"ep"
],
"singularName": "",
"storageVersionHash": "fWeeMqaN/OA=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"kind": "Event",
"name": "events",
"namespaced": true,
"shortNames": [
"ev"
],
"singularName": "",
"storageVersionHash": "r2yiGXH7wu8=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"kind": "LimitRange",
"name": "limitranges",
"namespaced": true,
"shortNames": [
"limits"
],
"singularName": "",
"storageVersionHash": "EBKMFVe6cwo=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"kind": "Namespace",
"name": "namespaces",
"namespaced": false,
"shortNames": [
"ns"
],
"singularName": "",
"storageVersionHash": "Q3oi5N2YM8M=",
"verbs": [
"create",
"delete",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"kind": "Namespace",
"name": "namespaces/finalize",
"namespaced": false,
"singularName": "",
"verbs": [
"update"
]
},
{
"kind": "Namespace",
"name": "namespaces/status",
"namespaced": false,
"singularName": "",
"verbs": [
"get",
"patch",
"update"
]
},
{
"kind": "Node",
"name": "nodes",
"namespaced": false,
"shortNames": [
"no"
],
"singularName": "",
"storageVersionHash": "XwShjMxG9Fs=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"kind": "NodeProxyOptions",
"name": "nodes/proxy",
"namespaced": false,
"singularName": "",
"verbs": [
"create",
"delete",
"get",
"patch",
"update"
]
},
{
"kind": "Node",
"name": "nodes/status",
"namespaced": false,
"singularName": "",
"verbs": [
"get",
"patch",
"update"
]
},
{
"kind": "PersistentVolumeClaim",
"name": "persistentvolumeclaims",
"namespaced": true,
"shortNames": [
"pvc"
],
"singularName": "",
"storageVersionHash": "QWTyNDq0dC4=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"kind": "PersistentVolumeClaim",
"name": "persistentvolumeclaims/status",
"namespaced": true,
"singularName": "",
"verbs": [
"get",
"patch",
"update"
]
},
{
"kind": "PersistentVolume",
"name": "persistentvolumes",
"namespaced": false,
"shortNames": [
"pv"
],
"singularName": "",
"storageVersionHash": "HN/zwEC+JgM=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"kind": "PersistentVolume",
"name": "persistentvolumes/status",
"namespaced": false,
"singularName": "",
"verbs": [
"get",
"patch",
"update"
]
},
{
"categories": [
"all"
],
"kind": "Pod",
"name": "pods",
"namespaced": true,
"shortNames": [
"po"
],
"singularName": "",
"storageVersionHash": "xPOwRZ+Yhw8=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"kind": "PodAttachOptions",
"name": "pods/attach",
"namespaced": true,
"singularName": "",
"verbs": [
"create",
"get"
]
},
{
"kind": "Binding",
"name": "pods/binding",
"namespaced": true,
"singularName": "",
"verbs": [
"create"
]
},
{
"group": "policy",
"kind": "Eviction",
"name": "pods/eviction",
"namespaced": true,
"singularName": "",
"verbs": [
"create"
],
"version": "v1beta1"
},
{
"kind": "PodExecOptions",
"name": "pods/exec",
"namespaced": true,
"singularName": "",
"verbs": [
"create",
"get"
]
},
{
"kind": "Pod",
"name": "pods/log",
"namespaced": true,
"singularName": "",
"verbs": [
"get"
]
},
{
"kind": "PodPortForwardOptions",
"name": "pods/portforward",
"namespaced": true,
"singularName": "",
"verbs": [
"create",
"get"
]
},
{
"kind": "PodProxyOptions",
"name": "pods/proxy",
"namespaced": true,
"singularName": "",
"verbs": [
"create",
"delete",
"get",
"patch",
"update"
]
},
{
"kind": "Pod",
"name": "pods/status",
"namespaced": true,
"singularName": "",
"verbs": [
"get",
"patch",
"update"
]
},
{
"kind": "PodTemplate",
"name": "podtemplates",
"namespaced": true,
"singularName": "",
"storageVersionHash": "LIXB2x4IFpk=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"categories": [
"all"
],
"kind": "ReplicationController",
"name": "replicationcontrollers",
"namespaced": true,
"shortNames": [
"rc"
],
"singularName": "",
"storageVersionHash": "Jond2If31h0=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"group": "autoscaling",
"kind": "Scale",
"name": "replicationcontrollers/scale",
"namespaced": true,
"singularName": "",
"verbs": [
"get",
"patch",
"update"
],
"version": "v1"
},
{
"kind": "ReplicationController",
"name": "replicationcontrollers/status",
"namespaced": true,
"singularName": "",
"verbs": [
"get",
"patch",
"update"
]
},
{
"kind": "ResourceQuota",
"name": "resourcequotas",
"namespaced": true,
"shortNames": [
"quota"
],
"singularName": "",
"storageVersionHash": "8uhSgffRX6w=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"kind": "ResourceQuota",
"name": "resourcequotas/status",
"namespaced": true,
"singularName": "",
"verbs": [
"get",
"patch",
"update"
]
},
{
"kind": "Secret",
"name": "secrets",
"namespaced": true,
"singularName": "",
"storageVersionHash": "S6u1pOWzb84=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"kind": "ServiceAccount",
"name": "serviceaccounts",
"namespaced": true,
"shortNames": [
"sa"
],
"singularName": "",
"storageVersionHash": "pbx9ZvyFpBE=",
"verbs": [
"create",
"delete",
"deletecollection",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"categories": [
"all"
],
"kind": "Service",
"name": "services",
"namespaced": true,
"shortNames": [
"svc"
],
"singularName": "",
"storageVersionHash": "0/CO1lhkEBI=",
"verbs": [
"create",
"delete",
"get",
"list",
"patch",
"update",
"watch"
]
},
{
"kind": "ServiceProxyOptions",
"name": "services/proxy",
"namespaced": true,
"singularName": "",
"verbs": [
"create",
"delete",
"get",
"patch",
"update"
]
},
{
"kind": "Service",
"name": "services/status",
"namespaced": true,
"singularName": "",
"verbs": [
"get",
"patch",
"update"
]
}
]
}
위에 정보에 보면 shortcut 정보가 정의되어 있어, 아래와 같이 endpoint를 ep로도 사용할수 있다.
ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ kubectl get ep
NAME ENDPOINTS AGE
kubernetes 10.146.0.2:6443 2d13h
ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ python -m json.tool v1/serverresources.json | grep kind
"kind": "APIResourceList",
"kind": "Binding",
"kind": "ComponentStatus",
"kind": "ConfigMap",
"kind": "Endpoints",
"kind": "Event",
"kind": "LimitRange",
"kind": "Namespace",
"kind": "Namespace",
"kind": "Namespace",
"kind": "Node",
"kind": "NodeProxyOptions",
"kind": "Node",
"kind": "PersistentVolumeClaim",
"kind": "PersistentVolumeClaim",
"kind": "PersistentVolume",
"kind": "PersistentVolume",
"kind": "Pod",
"kind": "PodAttachOptions",
"kind": "Binding",
"kind": "Eviction",
"kind": "PodExecOptions",
"kind": "Pod",
"kind": "PodPortForwardOptions",
"kind": "PodProxyOptions",
"kind": "Pod",
"kind": "PodTemplate",
"kind": "ReplicationController",
"kind": "Scale",
"kind": "ReplicationController",
"kind": "ResourceQuota",
"kind": "ResourceQuota",
"kind": "Secret",
"kind": "ServiceAccount",
"kind": "Service",
"kind": "ServiceProxyOptions",
"kind": "Service",
ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ python -m json.tool apps/v1beta1/serverresources.json | grep kind
"kind": "APIResourceList",
"kind": "ControllerRevision",
"kind": "Deployment",
"kind": "DeploymentRollback",
"kind": "Scale",
"kind": "Deployment",
"kind": "StatefulSet",
"kind": "Scale",
"kind": "StatefulSet",
curl로 만든 pod를 삭제 한다.
ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ kubectl delete po curlpod
pod "curlpod" deleted
참조) CKA 대비 간단 실습
01. kubeadm 을 이용한 설치 및 세팅
02. kubernetes 클러스터 노드 확장 및 셋팅
03. 간단한 application 배포, yaml템플릿, 서비스 expose 해보기
04. deployment 의 CPU, Memory 제약
05. namespace 를 위한 resource limit 설정
06. 좀더 복잡한 deployment 배포해보기
07. 기본 Node 의 maintenance (유지보수)
08. API AND ACCESS
09. API 객체
10. Managing State with Deployments
11. Service Resource
12. Volumes and Data : ConfigMap 간단 테스트
13. PV 와 PVC 생성
14. ResourceQuota 사용 (PVC Count 와 Usage를 제한)
15. ingress 간단 실습
16. Scheduling - label 사용한 pod 할당
17. Scheduling - Taint를 이용한 pod 배포 관리
18. 로깅과 트러블슈팅 : 로그위치와 로그 출력 보기
19. 로깅과 트러블슈팅 : Metrics와 DashBoard
20. CRD (Custom Resource Definition)
21. helm
22. Security - TLS
23. Security - Authentication, Authorization, Admission
24. HA(High Availability) 구성 - master node