[kubernetes-실습] API AND ACCESS

TLS Access 설정 (인증서 기반의 클러스터 API)

api를 통해 직접 호출 할수 있도록 3가지 key를 필요로 한다.

~/.kube/config 경로 안에 있는 아래 3가지 키를 base64로 encording 한 후 각각의 파일로 저장 하여 사용한다.

- certificate-authority-data
- client-certificate-data
- client-key-data

 

~/.kube/config 안에 정보를 확인

ps0107@k8smaster1:~$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ERXlPREE0TWprd09Wb1hEVE13TURFeU5UQTRNamt3T1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTk9XCjZMdDkweTMvZDU2VEdIZFFWR25hZGtScXhPUERPYmplOVpUTkVIU3JWZUU3NWpPQ1A0RWdaTFVxcjBBWm5mSTIKQ0hSU3ZGdkdUT2Qza0o0bnRMS0RrT21VaWV4N2s0ZnRJM0lNc0RraDM4OTMzaGxMRDBBTzZzR3cvUnZpaVJ2Swo1N0RLVjRBaXFTTkRabXlpRFJHRFAvc3o1NllzTEdhQXJTUzVwcFYrQ2NKanhHeXV2UXNKZmZEekJsZ2FCakRoCmlWcDhrdTBNVUpFRktLbDNTNnhLZXRZRTRwZVpNcmlGZUpBb0pVZTZscmpYRWplVVN1a29FdmxmbGJIMGhWL3IKWk1ydkwwaGRKeWdIQjVnZWJnVHVCWDhIWkR4dDBFT1M5ZnBYNWxjYXRJR1g5NGVQdW9PcENYWDF1RVg4alpwYQpzZkpHSkRzdS9pTi9vMWZYcXU4Q0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDa01VR0pPM2xycEppL2RKdmhZSkdwK29sMHQKQ3lUSVhrK2oyMDFhbmZKYkFiVllENStvb2FxUnRzNWFaa01RZ2loWjUyNGw2bGZ6N3NUNEE0M3VZL3lITmllRgpwb2RvdFFMWXlyRmRCcUoyaFhpcVFOQjRjNHloUXFkMG0rSTNwazJIMDNTOG85MWZ1VUJ3NWZSbDUxRUtIT3I1Ci84cldqdW55KzBRY1IvaEVLZlA5alV0NVZsbm4zMVJPMkhVeFUyTmlQTCtJK0dtWCtod3hzRFkyUk9TZ2xuWUsKcjNkaGU2RXpHQTZBcTJqMmtENTJteWFmNXNRY0NjeXg1cDlSNGdXcWxFTFU1VFZONldTWnVCT3AxQld6azI3NgpURFFRL0hVeHBGSTdZSEtTeVkza0xCb2JoSzViM0syS1RqQk45aEduMisxaHNETFM1R1ZRbkVQMlVTUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://k8smaster:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJVUpXVjZQeWhwSnd3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURBeE1qZ3dPREk1TURsYUZ3MHlNVEF4TWpjd09ESTVNVEZhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnRVhPY0JvZ1p2cGtlMysKVTdMcXBWVEVJMmc0Y241Wm5pNEhzVkYwdk9IQm9VTHlEZ1FBakYreDZNbEpYVlRGVWpxOXZkQm5pZFE3clJUWgoxL1g4a1BnSmVMbm8wNTgra213aHM3Y0F1T0pHQnlIamQ1TTVRaVFvM01ydGNQVlpVOHd3a3ZFT0dSa3JuOWlYCkNQeCt6WHhoNXNPRW9BRGR4TFJ1bVp1aGZoQXBFYlhSRVRHbTdCdnh4d2pneHBsdmoxR3gwTDBydlZLZTl6V0YKbGxCbTZpTW42NWlHMjVpVmZOcTVubDNRNCtMejFsejNENkRwamtaT2VEalJEcDZyOVYycVJzb2JocStOQjVFZQpRZXFMRUNqaWZ6aGwvRUZ0bmh1QmVTTXdyeHM2U1BzV2RyaHE5ZndHKzBDK2VjQmNvQ2xYV0xtcGp4cVF2dHJFCnlSckdGd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFNcWQ3UWJ1MXpYQSsvZGRpWWYwQlI1cjdjMjUvalhGc25PVAp3RFBQT0ZrZ0tObDdsQy9xNndNdmNlUS9lRDl3Ti9ENUYwWlpHZDRSSWV0WklILzJSNklUNSs3V3RLK0dFRFp3CjFZL3p2MkVYeFZ1Y0ErNjZ6RzdtR3p1SnBJSkZwdjM0UlducEdSQ1lGMk52WDYwL2o4QTRiTnhsMXo1YWZDaDcKS0psd2RYYTdnK01qZXV6QmkzQmpOYnI4Mnh3bjNmVHJqWlBxYThqaGF0cWtPaHIwQkRnNUFzQTk4dEpnSDFmTgorU0prUkZ4OUREY0JXdDZGMDNYdW84TTk4L1RFcFc2cExzZWM0YjkyT0ZsUGg5Z2NlVXk0T3BnQnNYTElySDZoCkJCNTVyRmtLYWJ6ekhGYUV4RGxwSzZZczJnMDZZbmppVnBjU3N0WmludXBoV0s5S243RT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBemdFWE9jQm9nWnZwa2UzK1U3THFwVlRFSTJnNGNuNVpuaTRIc1ZGMHZPSEJvVUx5CkRnUUFqRit4Nk1sSlhWVEZVanE5dmRCbmlkUTdyUlRaMS9YOGtQZ0plTG5vMDU4K2ttd2hzN2NBdU9KR0J5SGoKZDVNNVFpUW8zTXJ0Y1BWWlU4d3drdkVPR1Jrcm45aVhDUHgrelh4aDVzT0VvQURkeExSdW1adWhmaEFwRWJYUgpFVEdtN0J2eHh3amd4cGx2ajFHeDBMMHJ2VktlOXpXRmxsQm02aU1uNjVpRzI1aVZmTnE1bmwzUTQrTHoxbHozCkQ2RHBqa1pPZURqUkRwNnI5VjJxUnNvYmhxK05CNUVlUWVxTEVDamlmemhsL0VGdG5odUJlU013cnhzNlNQc1cKZHJocTlmd0crMEMrZWNCY29DbFhXTG1wanhxUXZ0ckV5UnJHRndJREFRQUJBb0lCQVFDSitmTUxiRkxTMUpHcApleVVIL0dMckg0NUxSTWZoNzd5b2xKMzBadUZ3alNpNmtQTTg3Zk5NRWVCQVVXbEJDTUVzNVVrbXRFcFU1NENjCjJjVmF2MWhONU1PN1I1R3BCQlROejN6M09OQlVCTUh3andNaW1Nb1dBZEFZcWhaRXZSLzZYMTM5WFZVYS9GL2EKclIva0ZmSDhRWjMxQ09sd25ZUHI5d25JK3BNOHNmTGdqemFjYTNCdTNWMkx1Z29XcURQTFZiMjRiT0RLK3RVZwo4Q0ErSjhPemRreHgvNThxT2h3bWVNT0wydkdXbGVhVkkrVHBMUjhObEFRQXdkR04xVTNrcGRtZElhS0d2SG0zCmt4OUpQNExyeDI2emMxSTVROEZ1VGNkQlc4QzVoaHZLVC9tMDZ6WGFwWDhFN0ZVYWxOWkdFOWFHd1h1K1dpc2oKNDlSQ0pwb1JBb0dCQU01eGhDUGMvNkFqK091a0xORmVCVU1VTEc4VU54MkF5a3pVRFlUWkNUd1FJQ01YamxQRAo4YStSMmJHRit1N0d4b3c5K091WnFzcjVyK0tIN3BVQkZlVWUyenZvM0FRQzFPb2YrRjBZK2hzMm5tNmdFTVN1CmF2b0NZVW10R2dCVE16QWs0d2tEUWIzNldWUFFNT2ZNaGRNMjdpc2s3TFp5Znl1bzkwRnlobzlmQW9HQkFQOTAKbGtBSTh6b3dvYmZWZUZhVVV0ei9nSDNzNkxwRnhkSFlHZnRCYS9JSXNwKzRwV1dJL0V1YjRXUnk0c3ZOaDNPdAozSitGRnZWclVicFB6Q2VKbm0xVHY5N3FOVVRQa1B4blhnVXdiMFEvVHhRODFIRmoweWlDRGFTVGw4RUx3ejQ1Cm1xYVB6dDA5RTFOVHJpNFBQTWh3WmV5Y2k0Y3drS0c3c0kwaFlweEpBb0dCQUtPVEhuaXNLMy9nQU9QMWVlMksKNmZCMGs2Q1FDL3U4aUk3SGxzNmtpY1Nsb2xFcjRRSk9SN290ZnFoQzJNbEpoeGlvSWd2TC9xQkZweTkvTlhPcgpJSVlqSk9NYlp2bG1wUDI5eHpVOURTOXkzNllYL2pGWllqb21tSitnSVBJUStvWXpOQkY0R3lkRXJuTFNpMjJmCmlJb0xCRHY3VGZSaVZKRnJtRDZyV0NOUkFvR0FZUUN1aFVaZ3hmbnRqdGNheVJXdG1ZblVDdjFKS21LUVNhemIKd05NSTRIRjVFcm1VNU1kdHRuQk0yRTNmM1RBQWZXYkozakUxbEovWit2dU9OSDFIa1pBNXpiWDE0RmxKWHU4Sgpmc0x6bldERThKUmd2MlgrcXVVbnRSVHVqVG1nUENLM25RUUNzM1Fid0lxSUc2bGhsV05JOE41SkJWN2xyT1NPCm1DalRQekVDZ1lFQXRkMXprbzJUQWwwK05zZEliNkZKV2huV2tVM3hSdmdJZGRxcDYydUZXOXl0VDB3VUFpRGYKdmNYRkhDcFNTNnRDZDU0WHVoUzNPeGVuak5Ga0c3MzRtTEh3Z2JMWUl4Q2c1YVBBcFlMMG9QL2lZUFJBNTBROApUWEM2L1JLYWd2TURLZkphS293WVR4aS85TTJ1QUxYNVdia2xvZnlCQzVjQXBhb1Ribll0czE0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

 

client-cert를 추출

ps0107@k8smaster1:~$ export client=$(grep client-cert ~/.kube/config | cut -d " " -f 6)
ps0107@k8smaster1:~$ echo $client
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJVUpXVjZQeWhwSnd3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TURBeE1qZ3dPREk1TURsYUZ3MHlNVEF4TWpjd09ESTVNVEZhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpnRVhPY0JvZ1p2cGtlMysKVTdMcXBWVEVJMmc0Y241Wm5pNEhzVkYwdk9IQm9VTHlEZ1FBakYreDZNbEpYVlRGVWpxOXZkQm5pZFE3clJUWgoxL1g4a1BnSmVMbm8wNTgra213aHM3Y0F1T0pHQnlIamQ1TTVRaVFvM01ydGNQVlpVOHd3a3ZFT0dSa3JuOWlYCkNQeCt6WHhoNXNPRW9BRGR4TFJ1bVp1aGZoQXBFYlhSRVRHbTdCdnh4d2pneHBsdmoxR3gwTDBydlZLZTl6V0YKbGxCbTZpTW42NWlHMjVpVmZOcTVubDNRNCtMejFsejNENkRwamtaT2VEalJEcDZyOVYycVJzb2JocStOQjVFZQpRZXFMRUNqaWZ6aGwvRUZ0bmh1QmVTTXdyeHM2U1BzV2RyaHE5ZndHKzBDK2VjQmNvQ2xYV0xtcGp4cVF2dHJFCnlSckdGd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFNcWQ3UWJ1MXpYQSsvZGRpWWYwQlI1cjdjMjUvalhGc25PVAp3RFBQT0ZrZ0tObDdsQy9xNndNdmNlUS9lRDl3Ti9ENUYwWlpHZDRSSWV0WklILzJSNklUNSs3V3RLK0dFRFp3CjFZL3p2MkVYeFZ1Y0ErNjZ6RzdtR3p1SnBJSkZwdjM0UlducEdSQ1lGMk52WDYwL2o4QTRiTnhsMXo1YWZDaDcKS0psd2RYYTdnK01qZXV6QmkzQmpOYnI4Mnh3bjNmVHJqWlBxYThqaGF0cWtPaHIwQkRnNUFzQTk4dEpnSDFmTgorU0prUkZ4OUREY0JXdDZGMDNYdW84TTk4L1RFcFc2cExzZWM0YjkyT0ZsUGg5Z2NlVXk0T3BnQnNYTElySDZoCkJCNTVyRmtLYWJ6ekhGYUV4RGxwSzZZczJnMDZZbmppVnBjU3N0WmludXBoV0s5S243RT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

 

client-key-data를 추출

ps0107@k8smaster1:~$ export key=$(grep client-key-data ~/.kube/config | cut -d " " -f 6)
ps0107@k8smaster1:~$ echo $key
LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcFFJQkFBS0NBUUVBemdFWE9jQm9nWnZwa2UzK1U3THFwVlRFSTJnNGNuNVpuaTRIc1ZGMHZPSEJvVUx5CkRnUUFqRit4Nk1sSlhWVEZVanE5dmRCbmlkUTdyUlRaMS9YOGtQZ0plTG5vMDU4K2ttd2hzN2NBdU9KR0J5SGoKZDVNNVFpUW8zTXJ0Y1BWWlU4d3drdkVPR1Jrcm45aVhDUHgrelh4aDVzT0VvQURkeExSdW1adWhmaEFwRWJYUgpFVEdtN0J2eHh3amd4cGx2ajFHeDBMMHJ2VktlOXpXRmxsQm02aU1uNjVpRzI1aVZmTnE1bmwzUTQrTHoxbHozCkQ2RHBqa1pPZURqUkRwNnI5VjJxUnNvYmhxK05CNUVlUWVxTEVDamlmemhsL0VGdG5odUJlU013cnhzNlNQc1cKZHJocTlmd0crMEMrZWNCY29DbFhXTG1wanhxUXZ0ckV5UnJHRndJREFRQUJBb0lCQVFDSitmTUxiRkxTMUpHcApleVVIL0dMckg0NUxSTWZoNzd5b2xKMzBadUZ3alNpNmtQTTg3Zk5NRWVCQVVXbEJDTUVzNVVrbXRFcFU1NENjCjJjVmF2MWhONU1PN1I1R3BCQlROejN6M09OQlVCTUh3andNaW1Nb1dBZEFZcWhaRXZSLzZYMTM5WFZVYS9GL2EKclIva0ZmSDhRWjMxQ09sd25ZUHI5d25JK3BNOHNmTGdqemFjYTNCdTNWMkx1Z29XcURQTFZiMjRiT0RLK3RVZwo4Q0ErSjhPemRreHgvNThxT2h3bWVNT0wydkdXbGVhVkkrVHBMUjhObEFRQXdkR04xVTNrcGRtZElhS0d2SG0zCmt4OUpQNExyeDI2emMxSTVROEZ1VGNkQlc4QzVoaHZLVC9tMDZ6WGFwWDhFN0ZVYWxOWkdFOWFHd1h1K1dpc2oKNDlSQ0pwb1JBb0dCQU01eGhDUGMvNkFqK091a0xORmVCVU1VTEc4VU54MkF5a3pVRFlUWkNUd1FJQ01YamxQRAo4YStSMmJHRit1N0d4b3c5K091WnFzcjVyK0tIN3BVQkZlVWUyenZvM0FRQzFPb2YrRjBZK2hzMm5tNmdFTVN1CmF2b0NZVW10R2dCVE16QWs0d2tEUWIzNldWUFFNT2ZNaGRNMjdpc2s3TFp5Znl1bzkwRnlobzlmQW9HQkFQOTAKbGtBSTh6b3dvYmZWZUZhVVV0ei9nSDNzNkxwRnhkSFlHZnRCYS9JSXNwKzRwV1dJL0V1YjRXUnk0c3ZOaDNPdAozSitGRnZWclVicFB6Q2VKbm0xVHY5N3FOVVRQa1B4blhnVXdiMFEvVHhRODFIRmoweWlDRGFTVGw4RUx3ejQ1Cm1xYVB6dDA5RTFOVHJpNFBQTWh3WmV5Y2k0Y3drS0c3c0kwaFlweEpBb0dCQUtPVEhuaXNLMy9nQU9QMWVlMksKNmZCMGs2Q1FDL3U4aUk3SGxzNmtpY1Nsb2xFcjRRSk9SN290ZnFoQzJNbEpoeGlvSWd2TC9xQkZweTkvTlhPcgpJSVlqSk9NYlp2bG1wUDI5eHpVOURTOXkzNllYL2pGWllqb21tSitnSVBJUStvWXpOQkY0R3lkRXJuTFNpMjJmCmlJb0xCRHY3VGZSaVZKRnJtRDZyV0NOUkFvR0FZUUN1aFVaZ3hmbnRqdGNheVJXdG1ZblVDdjFKS21LUVNhemIKd05NSTRIRjVFcm1VNU1kdHRuQk0yRTNmM1RBQWZXYkozakUxbEovWit2dU9OSDFIa1pBNXpiWDE0RmxKWHU4Sgpmc0x6bldERThKUmd2MlgrcXVVbnRSVHVqVG1nUENLM25RUUNzM1Fid0lxSUc2bGhsV05JOE41SkJWN2xyT1NPCm1DalRQekVDZ1lFQXRkMXprbzJUQWwwK05zZEliNkZKV2huV2tVM3hSdmdJZGRxcDYydUZXOXl0VDB3VUFpRGYKdmNYRkhDcFNTNnRDZDU0WHVoUzNPeGVuak5Ga0c3MzRtTEh3Z2JMWUl4Q2c1YVBBcFlMMG9QL2lZUFJBNTBROApUWEM2L1JLYWd2TURLZkphS293WVR4aS85TTJ1QUxYNVdia2xvZnlCQzVjQXBhb1Ribll0czE0PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=

 

certificate-authority-data 를 추출

ps0107@k8smaster1:~$ export auth=$(grep certificate-authority-data ~/.kube/config | cut -d " " -f 6)
ps0107@k8smaster1:~$ echo $auth
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJd01ERXlPREE0TWprd09Wb1hEVE13TURFeU5UQTRNamt3T1Zvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTk9XCjZMdDkweTMvZDU2VEdIZFFWR25hZGtScXhPUERPYmplOVpUTkVIU3JWZUU3NWpPQ1A0RWdaTFVxcjBBWm5mSTIKQ0hSU3ZGdkdUT2Qza0o0bnRMS0RrT21VaWV4N2s0ZnRJM0lNc0RraDM4OTMzaGxMRDBBTzZzR3cvUnZpaVJ2Swo1N0RLVjRBaXFTTkRabXlpRFJHRFAvc3o1NllzTEdhQXJTUzVwcFYrQ2NKanhHeXV2UXNKZmZEekJsZ2FCakRoCmlWcDhrdTBNVUpFRktLbDNTNnhLZXRZRTRwZVpNcmlGZUpBb0pVZTZscmpYRWplVVN1a29FdmxmbGJIMGhWL3IKWk1ydkwwaGRKeWdIQjVnZWJnVHVCWDhIWkR4dDBFT1M5ZnBYNWxjYXRJR1g5NGVQdW9PcENYWDF1RVg4alpwYQpzZkpHSkRzdS9pTi9vMWZYcXU4Q0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFDa01VR0pPM2xycEppL2RKdmhZSkdwK29sMHQKQ3lUSVhrK2oyMDFhbmZKYkFiVllENStvb2FxUnRzNWFaa01RZ2loWjUyNGw2bGZ6N3NUNEE0M3VZL3lITmllRgpwb2RvdFFMWXlyRmRCcUoyaFhpcVFOQjRjNHloUXFkMG0rSTNwazJIMDNTOG85MWZ1VUJ3NWZSbDUxRUtIT3I1Ci84cldqdW55KzBRY1IvaEVLZlA5alV0NVZsbm4zMVJPMkhVeFUyTmlQTCtJK0dtWCtod3hzRFkyUk9TZ2xuWUsKcjNkaGU2RXpHQTZBcTJqMmtENTJteWFmNXNRY0NjeXg1cDlSNGdXcWxFTFU1VFZONldTWnVCT3AxQld6azI3NgpURFFRL0hVeHBGSTdZSEtTeVkza0xCb2JoSzViM0syS1RqQk45aEduMisxaHNETFM1R1ZRbkVQMlVTUT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

 

각 key정보를 base64로 인코딩하여 파일로 저장

ps0107@k8smaster1:~$ echo $client | base64 -d - > ./client.pem
ps0107@k8smaster1:~$ echo $key | base64 -d - > ./client-key.pem
ps0107@k8smaster1:~$ echo $auth | base64 -d - > ./ca.pem

 


저장된 인증서 정보를 이용하여 api 호출을 할 수 있다.

 

api server 정보를 확인

ps0107@k8smaster1:~$ kubectl config view | grep server
    server: https://k8smaster:6443

 

key를 이용하여 /api/v1/pods 에 대한 api를 호출해본다.

ps0107@k8smaster1:~$ curl --cert ./client.pem --key ./client-key.pem --cacert ./ca.pem https://k8smaster:6443/api/v1/pods
{
  "kind": "PodList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/api/v1/pods",
    "resourceVersion": "296347"
  },
......

 

curl 로 api를 호출하여 pod를 생성해 본다

ps0107@k8smaster1:~$ vi curlpod.json
ps0107@k8smaster1:~$ cat curlpod.json
{
  "kind": "Pod",
  "apiVersion": "v1",
  "metadata": {
    "name": "curlpod",
    "namespace": "default",
    "labels": {
      "name": "examplepod"
    }
  },
  "spec": {
    "containers": [{
      "name": "nginx",
      "image": "nginx",
      "ports": [{"containerPort": 80}]
    }]
  }
}

ps0107@k8smaster1:~$ curl --cert ./client.pem --key ./client-key.pem --cacert ./ca.pem \
https://k8smaster:6443/api/v1/namespaces/default/pods -XPOST -H'Content-Type: application/json' -d@curlpod.json
{
  "kind": "Pod",
  "apiVersion": "v1",
  "metadata": {
    "name": "curlpod",
    "namespace": "default",
    "selfLink": "/api/v1/namespaces/default/pods/curlpod",
    "uid": "d50e5569-88c3-4e0c-9259-85dd07446013",
    "resourceVersion": "296389",
    "creationTimestamp": "2020-01-30T21:38:35Z",
    "labels": {
      "name": "examplepod"
    }
  },
  "spec": {
    "volumes": [
      {
        "name": "default-token-76w5h",
        "secret": {
          "secretName": "default-token-76w5h",
          "defaultMode": 420
        }
      }
    ],
    "containers": [
      {
        "name": "nginx",
        "image": "nginx",
        "ports": [
          {
            "containerPort": 80,
            "protocol": "TCP"
          }
        ],
        "resources": {

        },
        "volumeMounts": [
          {
            "name": "default-token-76w5h",
            "readOnly": true,
            "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
          }
        ],
        "terminationMessagePath": "/dev/termination-log",
        "terminationMessagePolicy": "File",
        "imagePullPolicy": "Always"
      }
    ],
    "restartPolicy": "Always",
    "terminationGracePeriodSeconds": 30,
    "dnsPolicy": "ClusterFirst",
    "serviceAccountName": "default",
    "serviceAccount": "default",
    "securityContext": {

    },
    "schedulerName": "default-scheduler",
    "tolerations": [
      {
        "key": "node.kubernetes.io/not-ready",
        "operator": "Exists",
        "effect": "NoExecute",
        "tolerationSeconds": 300
      },
      {
        "key": "node.kubernetes.io/unreachable",
        "operator": "Exists",
        "effect": "NoExecute",
        "tolerationSeconds": 300
      }
    ],
    "priority": 0,
    "enableServiceLinks": true
  },
  "status": {
    "phase": "Pending",
    "qosClass": "BestEffort"
  }
}

 

생성된 pod를 확인해본다

ps0107@k8smaster1:~$ kubectl get pods
NAME      READY   STATUS    RESTARTS   AGE
curlpod   1/1     Running   0          6s

 

 

 


 

Explore API Calls (로컬에 캐싱됨 => 확인)

 

kubectl get endpoints 명령을 내리면 어떤 것을 참조 하는지 알아본다.

ps0107@k8smaster1:~$ kubectl get endpoints
NAME         ENDPOINTS         AGE
kubernetes   10.146.0.2:6443   2d13h

 

openat 부분에 보면 캐싱을 참조하는 것을 확인할 수 있다.

ps0107@k8smaster1:~$ strace kubectl get endpoints
execve("/usr/bin/kubectl", ["kubectl", "get", "endpoints"], [/* 25 vars */]) = 0
arch_prctl(ARCH_SET_FS, 0x2d082d0)      = 0
.....
openat(AT_FDCWD, "/home/ps0107/.kube/cache/discovery/k8smaster_6443/authorization.k8s.io/v1/serverresources.json", O_RDONLY|O_CLOEXEC) = 5
epoll_ctl(4, EPOLL_CTL_ADD, 5, {EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, {u32=1026301704, u64=139918175903496}}) = -1 EPERM (Operation not permitted)
epoll_ctl(4, EPOLL_CTL_DEL, 5, 0xc00076cb7c) = -1 EPERM (Operation not permitted)
.....

 

해당 캐싱된 파일의 경로를 가보자

ps0107@k8smaster1:~$ cd /home/ps0107/.kube/cache/discovery/
ps0107@k8smaster1:~/.kube/cache/discovery$ cd k8smaster_6443/

 

여러가지가 캐싱된 것을 확인할 수 있다.

ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ ls
admissionregistration.k8s.io  authentication.k8s.io  certificates.k8s.io    extensions         rbac.authorization.k8s.io  v1
apiextensions.k8s.io          authorization.k8s.io   coordination.k8s.io    networking.k8s.io  scheduling.k8s.io
apiregistration.k8s.io        autoscaling            crd.projectcalico.org  node.k8s.io        servergroups.json
apps                          batch                  events.k8s.io          policy             storage.k8s.io

ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ find .
.
./apiextensions.k8s.io
./apiextensions.k8s.io/v1beta1
./apiextensions.k8s.io/v1beta1/serverresources.json
./apps
./apps/v1beta2
./apps/v1beta2/serverresources.json
./apps/v1
./apps/v1/serverresources.json
./apps/v1beta1
./apps/v1beta1/serverresources.json
./policy
./policy/v1beta1
./policy/v1beta1/serverresources.json
./storage.k8s.io
./storage.k8s.io/v1
./storage.k8s.io/v1/serverresources.json
./storage.k8s.io/v1beta1
./storage.k8s.io/v1beta1/serverresources.json
./batch
./batch/v1
./batch/v1/serverresources.json
./batch/v1beta1
./batch/v1beta1/serverresources.json
./events.k8s.io
./events.k8s.io/v1beta1
./events.k8s.io/v1beta1/serverresources.json
./coordination.k8s.io
./coordination.k8s.io/v1
./coordination.k8s.io/v1/serverresources.json
./coordination.k8s.io/v1beta1
./coordination.k8s.io/v1beta1/serverresources.json
./scheduling.k8s.io
./scheduling.k8s.io/v1
./scheduling.k8s.io/v1/serverresources.json
./scheduling.k8s.io/v1beta1
./scheduling.k8s.io/v1beta1/serverresources.json
./certificates.k8s.io
./certificates.k8s.io/v1beta1
./certificates.k8s.io/v1beta1/serverresources.json
./authentication.k8s.io
./authentication.k8s.io/v1
./authentication.k8s.io/v1/serverresources.json
./authentication.k8s.io/v1beta1
./authentication.k8s.io/v1beta1/serverresources.json
./v1
./v1/serverresources.json
./admissionregistration.k8s.io
./admissionregistration.k8s.io/v1beta1
./admissionregistration.k8s.io/v1beta1/serverresources.json
./servergroups.json
./authorization.k8s.io
./authorization.k8s.io/v1
./authorization.k8s.io/v1/serverresources.json
./authorization.k8s.io/v1beta1
./authorization.k8s.io/v1beta1/serverresources.json
./networking.k8s.io
./networking.k8s.io/v1
./networking.k8s.io/v1/serverresources.json
./networking.k8s.io/v1beta1
./networking.k8s.io/v1beta1/serverresources.json
./node.k8s.io
./node.k8s.io/v1beta1
./node.k8s.io/v1beta1/serverresources.json
./rbac.authorization.k8s.io
./rbac.authorization.k8s.io/v1
./rbac.authorization.k8s.io/v1/serverresources.json
./rbac.authorization.k8s.io/v1beta1
./rbac.authorization.k8s.io/v1beta1/serverresources.json
./apiregistration.k8s.io
./apiregistration.k8s.io/v1
./apiregistration.k8s.io/v1/serverresources.json
./apiregistration.k8s.io/v1beta1
./apiregistration.k8s.io/v1beta1/serverresources.json
./crd.projectcalico.org
./crd.projectcalico.org/v1
./crd.projectcalico.org/v1/serverresources.json
./extensions
./extensions/v1beta1
./extensions/v1beta1/serverresources.json
./autoscaling
./autoscaling/v1
./autoscaling/v1/serverresources.json
./autoscaling/v2beta2
./autoscaling/v2beta2/serverresources.json
./autoscaling/v2beta1
./autoscaling/v2beta1/serverresources.json

ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ python -m json.tool v1/serverresources.json
{
    "apiVersion": "v1",
    "groupVersion": "v1",
    "kind": "APIResourceList",
    "resources": [
        {
            "kind": "Binding",
            "name": "bindings",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "create"
            ]
        },
        {
            "kind": "ComponentStatus",
            "name": "componentstatuses",
            "namespaced": false,
            "shortNames": [
                "cs"
            ],
            "singularName": "",
            "verbs": [
                "get",
                "list"
            ]
        },
        {
            "kind": "ConfigMap",
            "name": "configmaps",
            "namespaced": true,
            "shortNames": [
                "cm"
            ],
            "singularName": "",
            "storageVersionHash": "qFsyl6wFWjQ=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "kind": "Endpoints",
            "name": "endpoints",
            "namespaced": true,
            "shortNames": [
                "ep"
            ],
            "singularName": "",
            "storageVersionHash": "fWeeMqaN/OA=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "kind": "Event",
            "name": "events",
            "namespaced": true,
            "shortNames": [
                "ev"
            ],
            "singularName": "",
            "storageVersionHash": "r2yiGXH7wu8=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "kind": "LimitRange",
            "name": "limitranges",
            "namespaced": true,
            "shortNames": [
                "limits"
            ],
            "singularName": "",
            "storageVersionHash": "EBKMFVe6cwo=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "kind": "Namespace",
            "name": "namespaces",
            "namespaced": false,
            "shortNames": [
                "ns"
            ],
            "singularName": "",
            "storageVersionHash": "Q3oi5N2YM8M=",
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "kind": "Namespace",
            "name": "namespaces/finalize",
            "namespaced": false,
            "singularName": "",
            "verbs": [
                "update"
            ]
        },
        {
            "kind": "Namespace",
            "name": "namespaces/status",
            "namespaced": false,
            "singularName": "",
            "verbs": [
                "get",
                "patch",
                "update"
            ]
        },
        {
            "kind": "Node",
            "name": "nodes",
            "namespaced": false,
            "shortNames": [
                "no"
            ],
            "singularName": "",
            "storageVersionHash": "XwShjMxG9Fs=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "kind": "NodeProxyOptions",
            "name": "nodes/proxy",
            "namespaced": false,
            "singularName": "",
            "verbs": [
                "create",
                "delete",
                "get",
                "patch",
                "update"
            ]
        },
        {
            "kind": "Node",
            "name": "nodes/status",
            "namespaced": false,
            "singularName": "",
            "verbs": [
                "get",
                "patch",
                "update"
            ]
        },
        {
            "kind": "PersistentVolumeClaim",
            "name": "persistentvolumeclaims",
            "namespaced": true,
            "shortNames": [
                "pvc"
            ],
            "singularName": "",
            "storageVersionHash": "QWTyNDq0dC4=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "kind": "PersistentVolumeClaim",
            "name": "persistentvolumeclaims/status",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "get",
                "patch",
                "update"
            ]
        },
        {
            "kind": "PersistentVolume",
            "name": "persistentvolumes",
            "namespaced": false,
            "shortNames": [
                "pv"
            ],
            "singularName": "",
            "storageVersionHash": "HN/zwEC+JgM=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "kind": "PersistentVolume",
            "name": "persistentvolumes/status",
            "namespaced": false,
            "singularName": "",
            "verbs": [
                "get",
                "patch",
                "update"
            ]
        },
        {
            "categories": [
                "all"
            ],
            "kind": "Pod",
            "name": "pods",
            "namespaced": true,
            "shortNames": [
                "po"
            ],
            "singularName": "",
            "storageVersionHash": "xPOwRZ+Yhw8=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "kind": "PodAttachOptions",
            "name": "pods/attach",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "create",
                "get"
            ]
        },
        {
            "kind": "Binding",
            "name": "pods/binding",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "create"
            ]
        },
        {
            "group": "policy",
            "kind": "Eviction",
            "name": "pods/eviction",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "create"
            ],
            "version": "v1beta1"
        },
        {
            "kind": "PodExecOptions",
            "name": "pods/exec",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "create",
                "get"
            ]
        },
        {
            "kind": "Pod",
            "name": "pods/log",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "get"
            ]
        },
        {
            "kind": "PodPortForwardOptions",
            "name": "pods/portforward",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "create",
                "get"
            ]
        },
        {
            "kind": "PodProxyOptions",
            "name": "pods/proxy",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "create",
                "delete",
                "get",
                "patch",
                "update"
            ]
        },
        {
            "kind": "Pod",
            "name": "pods/status",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "get",
                "patch",
                "update"
            ]
        },
        {
            "kind": "PodTemplate",
            "name": "podtemplates",
            "namespaced": true,
            "singularName": "",
            "storageVersionHash": "LIXB2x4IFpk=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "categories": [
                "all"
            ],
            "kind": "ReplicationController",
            "name": "replicationcontrollers",
            "namespaced": true,
            "shortNames": [
                "rc"
            ],
            "singularName": "",
            "storageVersionHash": "Jond2If31h0=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "group": "autoscaling",
            "kind": "Scale",
            "name": "replicationcontrollers/scale",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "get",
                "patch",
                "update"
            ],
            "version": "v1"
        },
        {
            "kind": "ReplicationController",
            "name": "replicationcontrollers/status",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "get",
                "patch",
                "update"
            ]
        },
        {
            "kind": "ResourceQuota",
            "name": "resourcequotas",
            "namespaced": true,
            "shortNames": [
                "quota"
            ],
            "singularName": "",
            "storageVersionHash": "8uhSgffRX6w=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "kind": "ResourceQuota",
            "name": "resourcequotas/status",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "get",
                "patch",
                "update"
            ]
        },
        {
            "kind": "Secret",
            "name": "secrets",
            "namespaced": true,
            "singularName": "",
            "storageVersionHash": "S6u1pOWzb84=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "kind": "ServiceAccount",
            "name": "serviceaccounts",
            "namespaced": true,
            "shortNames": [
                "sa"
            ],
            "singularName": "",
            "storageVersionHash": "pbx9ZvyFpBE=",
            "verbs": [
                "create",
                "delete",
                "deletecollection",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "categories": [
                "all"
            ],
            "kind": "Service",
            "name": "services",
            "namespaced": true,
            "shortNames": [
                "svc"
            ],
            "singularName": "",
            "storageVersionHash": "0/CO1lhkEBI=",
            "verbs": [
                "create",
                "delete",
                "get",
                "list",
                "patch",
                "update",
                "watch"
            ]
        },
        {
            "kind": "ServiceProxyOptions",
            "name": "services/proxy",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "create",
                "delete",
                "get",
                "patch",
                "update"
            ]
        },
        {
            "kind": "Service",
            "name": "services/status",
            "namespaced": true,
            "singularName": "",
            "verbs": [
                "get",
                "patch",
                "update"
            ]
        }
    ]
}

 

위에 정보에 보면 shortcut 정보가 정의되어 있어, 아래와 같이 endpoint를 ep로도 사용할수 있다.

ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ kubectl get ep
NAME         ENDPOINTS         AGE
kubernetes   10.146.0.2:6443   2d13h

ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ python -m json.tool v1/serverresources.json | grep kind
    "kind": "APIResourceList",
            "kind": "Binding",
            "kind": "ComponentStatus",
            "kind": "ConfigMap",
            "kind": "Endpoints",
            "kind": "Event",
            "kind": "LimitRange",
            "kind": "Namespace",
            "kind": "Namespace",
            "kind": "Namespace",
            "kind": "Node",
            "kind": "NodeProxyOptions",
            "kind": "Node",
            "kind": "PersistentVolumeClaim",
            "kind": "PersistentVolumeClaim",
            "kind": "PersistentVolume",
            "kind": "PersistentVolume",
            "kind": "Pod",
            "kind": "PodAttachOptions",
            "kind": "Binding",
            "kind": "Eviction",
            "kind": "PodExecOptions",
            "kind": "Pod",
            "kind": "PodPortForwardOptions",
            "kind": "PodProxyOptions",
            "kind": "Pod",
            "kind": "PodTemplate",
            "kind": "ReplicationController",
            "kind": "Scale",
            "kind": "ReplicationController",
            "kind": "ResourceQuota",
            "kind": "ResourceQuota",
            "kind": "Secret",
            "kind": "ServiceAccount",
            "kind": "Service",
            "kind": "ServiceProxyOptions",
            "kind": "Service",

ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ python -m json.tool apps/v1beta1/serverresources.json | grep kind
    "kind": "APIResourceList",
            "kind": "ControllerRevision",
            "kind": "Deployment",
            "kind": "DeploymentRollback",
            "kind": "Scale",
            "kind": "Deployment",
            "kind": "StatefulSet",
            "kind": "Scale",
            "kind": "StatefulSet",

 

 

 

 

curl로 만든 pod를 삭제 한다.

ps0107@k8smaster1:~/.kube/cache/discovery/k8smaster_6443$ kubectl delete po curlpod
pod "curlpod" deleted

 

 

 


참조) CKA 대비 간단 실습

01. kubeadm 을 이용한 설치 및 세팅
02. kubernetes 클러스터 노드 확장 및 셋팅
03. 간단한 application 배포, yaml템플릿, 서비스 expose 해보기
04. deployment 의 CPU, Memory 제약
05. namespace 를 위한 resource limit 설정
06. 좀더 복잡한 deployment 배포해보기
07. 기본 Node 의 maintenance (유지보수)
08. API AND ACCESS
09. API 객체
10. Managing State with Deployments
11. Service Resource
12. Volumes and Data : ConfigMap 간단 테스트
13. PV 와 PVC 생성
14. ResourceQuota 사용 (PVC Count 와 Usage를 제한)
15. ingress 간단 실습
16. Scheduling - label 사용한 pod 할당
17. Scheduling - Taint를 이용한 pod 배포 관리
18. 로깅과 트러블슈팅 : 로그위치와 로그 출력 보기
19. 로깅과 트러블슈팅 : Metrics와 DashBoard
20. CRD (Custom Resource Definition)
21. helm
22. Security - TLS
23. Security - Authentication, Authorization, Admission
24. HA(High Availability) 구성 - master node