What is Kubectl Proxy?

A user outside of a Kubernetes cluster can utilize the Kubernetes API server proxy to connect to cluster IPs that would otherwise be unavailable. This, for example, enables access to a service that is only available within the cluster’s network. Between the user and the in-cluster endpoint, the apiserver works as a proxy and a bastion.

We installed Ubuntu 20.04 on our Linux operating system to run the instructions in Kubernetes. You can follow it. You must additionally install the Minikube cluster on your computer to run Kubernetes on Linux. Minikube makes testing commands and programs easy by allowing you to do so in a methodical manner. As a result, it provides the finest Kubernetes learning experience for newcomers. Initially, the minikube cluster must be started. Then, in Ubuntu 20.04, go to the newly installed command line terminal. You can do so by pressing the Ctrl Alt T shortcut key or typing “Terminal” into the Ubuntu 20.04 system’s search box. Either of the aforementioned techniques will start the terminal. The minikube will be started after that. Type “minikube start” into the terminal to start the minikube. The Kubernetes cluster will be launched after a virtual machine capable of operating a single node cluster has been built. It’s also compatible with the kubectl environment. This will be used to communicate with the cluster at first.

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/12/echo/What-is-Kubectl-Proxy-1.png" data-lazy- height="189" src="data:image/svg xml,” width=”624″>

To get access to a cluster, you’ll need to know where it’s located and what credentials you will require. This is usually done automatically when you follow a Getting started guide or someone else sets up the cluster and gives you credentials and a location. The config view command shows where kubectl is aware of the location and credentials.

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/12/echo/What-is-Kubectl-Proxy-2.png" data-lazy- height="412" src="data:image/svg xml,” width=”624″>

How to Directly Access the REST API ?

Kubectl is in charge of finding and authenticating the apiserver. In proxy mode, run kubectl.

• It is a recommended method.
• The location of the saved apiserver is used.
• The apiserver is authenticated.
• Intelligent client-side load balancing and failover may be achievable in the future.

Directly provide the HTTP client with the location and credentials.

• A different technique is possible.
• Works with a certain client code that gets confused when a proxy is used.
• To guard against MITM, you’ll need to import a root certificate into your browser.

Using Kubectl Proxy

This command configures kubectl to work as a reverse proxy. It’s in charge of locating and authenticating the apiserver. Assume this scenario:

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/12/echo/What-is-Kubectl-Proxy-3.png" data-lazy- height="91" src="data:image/svg xml,” width=”624″>

An example of the output is as follows:

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/12/echo/What-is-Kubectl-Proxy-4.png" data-lazy- height="190" src="data:image/svg xml,” width=”624″>

Without the Use of Kubectl Proxy

To acquire the default service account token, run kubectl describe secret… with grep/cut.

<img alt="" data-lazy- data-lazy-src="https://kirelos.com/wp-content/uploads/2021/12/echo/What-is-Kubectl-Proxy-5.png" data-lazy- height="393" src="data:image/svg xml,” width=”624″>

API and the Programmatic Access

It is to announce that Kubernetes now supports Go and Python client libraries. The Go client and python client can utilize the same kubeconfig file as the kubectl CLI to locate and authenticate with the apiserver.

Access the API from a Pod

When contacting the API from a pod, the process of finding and authenticating the apiserver differs slightly. The best way to locate the apiserver in the pod is to use the Kubernetes.default.svc DNS name. It resolves to a Service IP, and it is then, in turn, routed to an apiserver.

The use of a service account credential to authenticate to the apiserver is suggested. After that, a token for that service account is kept in the filesystem tree of the container in that pod. A certificate bundle is inserted in the filesystem tree of each container at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, if available, and should be used to verify the apiserver’s serving certificate.

Finally, in each container, the default namespace for namespaced API activities is stored in a file at /var/run/secrets/kubernetes.io/serviceaccount/namespace. Here are some options for connecting to an API from within a pod:

Run kubectl proxy as a background process in the container or as a pod sidecar container. This allows other processes in any of the pod’s containers to access the Kubernetes API using the pod’s localhost interface.

Create a client by combining the Go client library with the code. Kubernetes with InClusterConfig() The functions NewForConfig() and NewForConfig() can be used to configure a cluster. They are in charge of finding and authenticating the apiserver.

Conclusion

Here we have provided guidelines on kubectl proxy. What is the kubectl config view common, and how can you access the REST API with and without Kubectl proxy. We have also provided examples to help you understand the concept better.