Giriş
API Server master node üzerinde çalışır. Açıklaması şöyle
How can Kubernetes APIs be secured?Kubernetes API security approaches include:- Use the correct authorization mode with the API server- Use API authentication
- Ensure that TLS protects all incoming traffic- Use authorization-mode=Webhook to make kubeless protect the API- Use restrictive RBAC role policy on the kube-dashboard- Remove any default service account permissions
Açıklaması şöyle. Dışarıdan herhangi bir istek geldiğinde API server doğrulama yapar. Ayrıca etcd ile etkileşimde bulunan tek bileşen budur
The API Server provides APIs to support lifecycle orchestration (scaling, updates, and so on) for different types of applications. It also acts as the gateway to the cluster, so the API server must be accessible by clients from outside the cluster.
1. "kubectl komutu" API Server ile REST çağrısı kullanarak haberleşir. Şeklen şöyle
2. API Server aldığı yaml içeriğini etcd sunucusuna kaydeder. Tüm akış şöyle
1. User declares what he/she wants and passes that to K8S using kubectl command. We all know that API-Server is the only component that can talk to user, master node other components and worker nodes.2. kubectl interacts with API-Server and generates a manifest (we can say a description of user wants).3. This manifest is written in ETCD (key-value database and single source of truth) by API-Server.4. As soon as there is something in ETCD, controller manager wakes up and respond according to the requirement. For deployment, a Deployment controller wakes up and check the requirement. It says replica is needed so, it’ll create a replica set (a bunch of item that goes into the pods) and goes to sleep.5. Now, the controller responsible for replica take its turn and create 3 replicas of pod. The pods details get stored in ETCD.6. Schedular wakes up and sees that there are pending pods without any nodes assigned. So, it will assign the nodes and goes to sleep.7. kubelet (on worker node) asks API-Server whether it has something for them? Now nodes has been assigned to pods kubelet will pull the image, networking and response back to API-Server that pods are running and API-Server writes the update to ETCD.
API Server Bileşenleri
1. HTTP Module
Açıklaması şöyle
1. This is nothing more than a regular web server.
2. Once the API receives the requests, it has to make sure that:- You have access to the cluster (authentication).
- You can create, delete, list, etc. resources (authorization).
3. This is the part where the RBAC rules are evaluated.
2. Mutation Admission Controller Module
Açıklaması şöyle
This component is in charge of looking at your YAML and modifying it.3. Validation Admission Controller Module
Does your Pod have an image pull policy?
- If not, the admission controller will add “Always” for you.
Is the resource a Pod?-It sets the default Service Account (if none is set).
- Adds a volume with the token.
And more!
Açıklaması şöyle. Yani bazı mantıksal kontroller yapılıyor
Are you trying to deploy more resources than your quota?Kubernetes API Server Extension Points
The controller will prevent that too.
Mutation Admission Controller ve Validation Admission Controller noktalarına hook veya extension takılabiliyor. Şeklen şöyle.
Metrics API
Açıklaması şöyle
You can add your own APIs and register them with Kubernetes.An excellent example of that is the metrics API server.The metrics API server registers itself with the API and exposes extra API endpoints.
Şeklen şöyle
Hiç yorum yok:
Yorum Gönder