Skip to content

Files

Latest commit

 

History

History
70 lines (48 loc) · 2.47 KB

Ch05.md

File metadata and controls

70 lines (48 loc) · 2.47 KB

Chapter 5. APIs and Access

  • Namespaces
  • Versions: alpha, beta and stable

The entiere Kubernetes architecture is API-driven, the main agent for communication (internal and external) is the Kubernetes-apiserver. There are API groups that may have multiple versions and follow a domain-name format with reserved names such as the empty group and names ending in .k8s.io.

View the API groups with a curl query:

$ curl https://127.0.0.1:6443/apis -k
....
    {
      "name": "apps",
      "versions": [
        {
          "groupVersion": "apps/v1beta1",
          "version": "v1beta1" 
        },
        {
          "groupVersion": "apps/v1beta2",  
          "version": "v1beta2"
        } 
      ], 
     },
....

Make the API calls with kubectl (recommended) or use curl or other program providing the certificates, keys, and JSON string or file when required.

curl --cert userbob.pem \
  --key userBob-key.pem \ 
  --cacert /path/to/ca.pem \
  https://k8sServer:6443/api/v1/pods

It's important to check authorizations. Use kubectl to check authorizations as administrator and as a regular user (i.e. bob) in different namespaces:

$ kubectl auth can-i create deployments
yes

$ kubectl auth can-i create deployments --as bob
no

$ kubectl auth can-i create deployments --as bob --namespace developer
yes

There are 3 APIs which can be applied to set who and what can be queried:

  • SelfSubjectAccessView: Access view for any user, useful for delegating to others.
  • LocalSubjectAccessReview: Review is restricted to a specific namespace
  • SelfSubjectRulesReview: A review shows allied actions for a user in a namespace

The use of reconcile allows a check of authorization necessary to create an object from a file. No output means the creation would be allowed.

As mentioned before the serialization for API calls must be JSON, all files in YAML are converted to and from JSON.

The value of resourceVersion is used to determine API updates and implement optimistic concurrency which means an object is not locked from the rime it has been read until the object is written.

The resourceVersion is backed via the modifiedIndex parameter in etc and it's unique to the namespace, kind and server. The operations that do not modifiy an object such as WATCH and GET, do not modify this value.

Annotations allow to add metadata to an object, they are key to value maps. Annotations can store more information and in human-readable format, labels are not.