Search code examples
kuberneteskube-proxykube-apiserver

Can I query kube-apiserver from kube-proxy pod?


I've got no access to kube-apiserver pod directly, but I do have an access to kube-proxy pod. Can I run curl https://localhost:6443/healthz as a healthness probe to kube-apiserver or something?


Solution

  • All the Pods can have access to the API Server: this is granted by the Service Account secret mounted in /var/run/secrets/kubernetes.io/serviceaccount/token.

    Before proceeding, you have to ensure your Pod is allowed to reach the API Server, thus not blocked by a NetworkPolicy: this requirement hasn't been declared on your question, so giving this is not the case.

    The said token is used to performs actions against the API Server, such as CRUD ops for those resources protected by RBAC.

    If you just need to check the healthiness of the API Server, you can cURL the API Server using the mounted CA public certificate in /var/run/secrets/kubernetes.io/serviceaccount/ca.pem and the environment variable KUBERNETES_SERVICE_HOST already injected at runtime in your Pod pointing to the API Server, as well with the KUBERNETES_SERVICE_PORT although the 443 should be the default value.

    Example

    # kubectl run -it --image curlimages/curl curl --command -- sh
    If you don't see a command prompt, try pressing enter.
    / $ env | grep -i kubernetes
    KUBERNETES_SERVICE_PORT=443
    KUBERNETES_PORT=tcp://10.96.0.1:443
    KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
    KUBERNETES_PORT_443_TCP_PORT=443
    KUBERNETES_PORT_443_TCP_PROTO=tcp
    KUBERNETES_SERVICE_PORT_HTTPS=443
    KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
    KUBERNETES_SERVICE_HOST=10.96.0.1
    / $ curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_SERVICE_PORT/api 
    -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
    {
      "kind": "APIVersions",
      "versions": [
        "v1"
      ],
      "serverAddressByClientCIDRs": [
        {
          "clientCIDR": "0.0.0.0/0",
          "serverAddress": "172.20.0.2:6443"
        }
      ]
    }