# Api-Server
Kubernetes運作主要基於Api-Server
溝通的方式為REST-Api
[API Overview](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/)
[Authorization Overview](https://kubernetes.io/docs/reference/access-authn-authz/authorization/)
[Managing Service Accounts](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#manual-secret-management-for-serviceaccounts)
[Secrets](https://kubernetes.io/docs/concepts/configuration/secret/#secret-types)
[Resource types](https://kubernetes.io/docs/reference/kubectl/#resource-types)
## ServiceAccount
要打K8s的Api,那就需要一個Bearer Token
那要取得這個Bearer Token,並要設定對應權限的話,就要建立一個ServiceAccount並設定RBAC
- ServiceAccount
```
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
namespace: kube-system
```
Type為`kubernetes.io/service-account-token`時,`kubernetes.io/service-account.name`必填,且需符合ServiceAccount
- Secret
```
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: jenkins
namespace: kube-system
annotations:
kubernetes.io/service-account.name: "jenkins"
```
### RBAC
`<ip>:8443/apis`可以取得目前Token可取得的Api
`kubectl api-resources -o wide` 可以確認rules的各項要填什麼值
基本上從[API Overview](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.29/)確認各自Api需要填寫的rules比較直接
``` bash
NAME SHORTNAMES APIVERSION NAMESPACED KIND VERBS CATEGORIES
bindings v1 true Binding create
componentstatuses cs v1 false ComponentStatus get,list
configmaps cm v1 true ConfigMap create,delete,deletecollection,get,list,patch,update,watch
endpoints ep v1 true Endpoints create,delete,deletecollection,get,list,patch,update,watch
events ev v1 true Event create,delete,deletecollection,get,list,patch,update,watch
limitranges limits v1 true LimitRange create,delete,deletecollection,get,list,patch,update,watch
```
NAME對應到resources,APIVERSION去掉Version則對應到apiGroups
`GET /api/v1/namespaces/{namespace}/pods/{name}/log`
有些Api會有Subresource,以這個Url來說,若要存取log這個有些Api會有Subresource,則需要輸入`pods/log`
``` yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-and-pod-logs-reader
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list"]
```
也可以限制可存取的resourceNames
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: configmap-updater
rules:
- apiGroups: [""]
#
# at the HTTP level, the name of the resource for accessing ConfigMap
# objects is "configmaps"
resources: ["configmaps"]
resourceNames: ["my-configmap"]
verbs: ["update", "get"]
```
- ClusterRole
```
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: jenkins-pod-create
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
```
- ClusterRoleBinding
```
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: jenkins-pod-create
subjects:
- kind: ServiceAccount
name: jenkins
namespace: kube-system
```
Sign in with Wallet
Connect another wallet