利用kubeconfig文件生成证书，用curl命令访问Kubernetes API server

kubectl 通过访问 Kubernetes API 来执行命令。我们也可以通过对应的TLS key， 使用curl 或是 golang client做同样的事。

API 请求必须使用 JSON 格式来发送。 kubectl 的作用是将 .yaml 转换为 JSON 格式进行 API 请求。

配置 TLS 连接

1、我们从查看 kubectl 的配置文件开始，需要：三个证书和 API server 的地址：

[root@master work]# cat /root/.kube/config 
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpN21jRHpST1dSaXAKMUU3NkYwOFIvdFV6L0kzWE5XcmU4ZEpsNjlUVnhieGdsZHJhQ0V4UC93VVBaTCtJK3NOMGRBMWFtMHRLVzJJKwpVZ21ISi9aU2dIbjUvUTFNZlpCakh0VUFqTDV2VmdSSzRZV05wVnpqK1JCd0YwNWduTUF4TTVCcWRmcEZ2aGI1CkJCRThIUk9xanJIZi82QTdKN2JwTTArMXlBQmZXMGpjcERZcTlsVnRxczU3ZTl4dVdVb2Y1WENPNyszZG5KQXgKa0dxWHNxN1Z1UmsyaUM4TWZBMk9mT3M5RmdNeFpOYk1UcHZZajZ4N3JjM21NTWh5VVQwdktOaTVXanR1UG53eAptd01yeEJqRjhqOUkybVZNZUJzQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFJTlc5Y0Ewc0tubm16UmVXTTFMWVhZRWRGWjEKNjIwcUVVeWs0VHV2MmxvZzlWcEtLTzhKOG5iOXdjRVcrWFB2NWYyYmtNbUtsTmxaYzJFOEIzOWloU2NiZzBmQgp4QmdpejAwYmxxMXRNNjBCTmc3d2UwM3ZnOFRlZ1hvZGRkTzd3djB6ZXo3U0tGYmg0d2VCRnN4TFNaWGtwL1VQCkNkc2s4ZllKSG1ZbVhlZ1kvTS9vWTl2OHdlVEgzRXpuWEgxY1RxaytkOVdlUWF3aHVYV3UrVC8zL0Q3dmRQYksKeUNtY3BrdmlCZUlHQXVwR0pDN0JTVzFUb05ra3h2bXRsQVZnYlVmdlh3U0srVDVHZGd0Z2lETGUzSkdHbTM1egpLVHBqWlBWL0lxYzZra1BZNFF1R3FqcFQvelMzaTNrdWI0THlBU1FjZHVNc1hUdG8zTVdmdkZxUWRGST0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    server: https://172.21.0.15:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUM4akNDQWRxZ0F3SUJBZ0lJR1VLN08xdUFIREF3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB4T1RFeU1ETXdOekEzTXpSYUZ3MHlNREV5TURJd056QTNNemhhTURReApGekFWQmdOVkJBb1REbk41YzNSbGJUcHRZWE4wWlhKek1Sa3dGd1lEVlFRREV4QnJkV0psY201bGRHVnpMV0ZrCmJXbHVNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQWZoNUl4bndrMHRrdXdabUdnMVU2ckJ4VDgxU0RYbFgvd1kKSGEzU1BWUk9HaElURXFYS08wT09Ia3BkbEpDeGpJUm50Y005UHlybnBXK0NPVlNwb1JQSUpoLzdLWHZKTytDeApDaGk0eXlxc2pxbzE5WHlSUUNoZ2hpNnJHTnFETlVhTVd1STBOM1VUeEh2L3ozQkg2QWdIOVNvL2RKRmZXQnlkCmJzQXUrd0lEQVFBQm95Y3dKVEFPQmdOVkhROEJBZjhFQkFNQ0JhQXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHTHdDVDloOGtGdHlwazhvNFM4R2pSb0xkSzZLZmhiTXhBZgowVHp3ZlBjVTlaNktyTTZIMmRtZHFGTnk2SHlrbkxWMjd2VjNtbDJ2VXVCaHpuWTJUeFF2YmFNN2drNCtVaERLCnUyY1FjQS9SaEkrYk13T0swZkFYR1RCdmxzZUJuNU1oYzNRMEthTVZURmpGbVIyRFBHaEVZLzN4L3NRbUZHRDIKN0dXUnhEcEZBSWhzUmxjR3RhR2pKdExZTEt0VU1OdlYyVVUyeThXa3NmZ1VJWVpIQXhkajM0UDV1MDQ2eE1lZQpZVlZvQXdsb0QrcjBoT0VKTEtaMi9GRjFOcm51U2xDYVoyYTVFdWFHbzM3TjBBcXVaRGMyS3hYd0N5aUc0K0ppClg2NkNqZjlObFk3ZkNQV1gzY3R0UXg2UUY1bGlTZ2NzYmVpUW9sR2ZwSXRQZ2JtY1Y2WT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
    client-key-data: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFb3dJQkFBS0NBUUVBeFM4LzlBVHZlOGxubU5saTNOTWRYN3dUSDBTRmdBQSsvMnZJNVZTMzFKbEVxY3JpCkF0Y1ZZekh2QVpqNURjaE16Z214NWxvMk5kRElNYytqVW12dFFUWHl1em8vOU1HdUp4dEZqTzZVcUZ6YWxUeGkKQkV5Z2ZDU3VISzlXQ1kyNmNJQm1jUjZDaEtoMWl0MHFZblFHbW9seklRV1dhaGYwcWQ4Yk9wcUJzMnZLcWVmaAo1SXhud2swdGt1d1ptR2cxVTZyQnhUODFTRFhsWC93tMXN3RkJBZGZoYnltQ1dmdXkyZG5HY2pac0xJTDFZeGdJcwpKTCtHUU5HU2FNMEQ3bVJYUGdKYnhBblpLZ2V5STFjU1VhTStER0krc3MzcXIvWGU3aDk3YTd1dUdUaWVYcllECnF0d29IK2pCc0J1ZFEyRS80MjB1a3RzUGhqZWZLRWVkbVFaR2JtNC9JWVp3U0xoNWdjNUpBNHNDZ1lFQTRHWUcKUGlNTnVmRjVpZHAvZWNZd25mZmIvR2dmNEVkWHF4cFJTQzZIWjE2OFNGK0JyclFKZWN2RDIva3RWUG52L2JHZgp2N3RWbXduNDhKYlRlYjJCczdIODV6VlAyR0RhYkJPeTBQbGRoSjNpc1ozY1p3L21rWG1QQkNjNEJJOHFKSUl1CmxGM1EyVDJUWThNeXVXM1NEdmFCYWpwaUNuazZOa3pydTFwME1GRUNnWUVBcUhTRm9ZTm5jUjBxVXNMS1VYUkMKRFIzTHQ4djlTT2JkckR5dFFyTS9iaGRkMU8yV0xlbHdqekJSWS9iTWNlaWMrZ2R3QVlLWW40eFVjSklFeDB3cgo3ckNWQlljSXRyTlcvTi9kU21xTzdSVkZnYU9SalJFMlc5dXp2SGw3bWRxRUFQSXhlcWpIU0xmOHZ5Q2w4ZTczClNLR1hXcGo2YzZ1T0tCYmsvdHl3ZHBNQ2dZQkdEOVMzSmQ2dFJiVzYwdHVtTzdrR09WTVlGYktPSmZnN1ZmWTIKNFVBcGlDeWxOQnliWFY3d0JpemF5NHZaMGtlYUlCRk9uY0QyclVCcWJjME5YNXZWYlNjWFVVL2lzU3JCUDgwKwo3ZnpDNFVEY1QvdDJ1a0kwL1kwbnNNOE9yVnh0RmJCUlpwRkVvck1ZSE9RRGZVUnVvNHg0akUzOEV5bVh0cUNMCldJeWFZUUtCZ0Izd3lhZXArWEU2ZlFiR2l6bzV2T0lhMXZkdzhSRFZLbHVMYUg0L0xLRjg4OVEySkt4a014WjEKckxjNVNHN295VVlhZmZZK2J3aGVYMDRpQldPaVFVRnhHZmFkQll3eWZjK3BGRUNGVW1YdFNuZGMzQmNBVCs2Lwp3dnVJNHdDTTgrYysrem53YURXZ3dUeUxTQllaVzFwSkRyTGRHcDROUENlNGNPNjZLVnVXCi0tLS0tRU5EIFJTQSBQUklWQVRFIEtFWS0tLS0tCg==

2、我们将会把证书设为环境变量。在设置时候请检查每一个参数。我们从 client-certificate-data 开始。

export clientcert=$(grep client-cert ~/.kube/config |cut -d" " -f 6)
echo $clientcert

3、使用类似的命令将 client-key-data 保存为环境变量

export clientkey=$(grep client-key-data ~/.kube/config |cut -d" " -f 6)
echo $clientkey

4、然后是 certificate-authority-data

export certauth=$(grep certificate-authority-data ~/.kube/config |cut -d" " -f 6)
echo $certauth

5、加密这些变量，供 curl 使用：

[root@master k8s-cert]# echo $clientcert | base64 -d > ./client.pem
[root@master k8s-cert]# echo $clientkey | base64 -d > ./client-key.pem
[root@master k8s-cert]# echo $certauth | base64 -d > ./ca.pem

6、从配置文件中读取 server 地址：

kubectl config view |grep server
server: https://172.21.0.15:6443

7、使用 curl 和刚刚加密的密钥文件来访问 API server：

curl --cert ./client.pem --key ./client-key.pem --cacert ./ca.pem https://172.21.0.15:6443/api/v1/pods