Kubernetes是一个完全基于API的系统。使用curl或Postman等简单工具，在构建应用程序之前获取API信息更方便。

要与Kubernetes API进行交互，您需要具有正确权限的ServiceAccount，通过（Cluster）Role和RoleBinding获得。使用ServiceAccount的token进行身份验证。
由于所有通信都通过TLS进行，因此您还需要自签名证书（ca.crt）。或者，允许不安全的连接(--insecure)，但不建议这样做。

创建ServiceAccount，ClusterRole和RoleBinding 

 创建ServiceAccount

kubectl create serviceaccount api-explorer

创建（cluster）role，授予对必要资源的访问权限。我更喜欢ClusterRoles用于可在整个系统中重用的角色。在此示例中，我授予对pod及其日志的访问权限，稍后我们将在示例用例中使用它。

cat <<EOF | kubectl create -f -
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: log-reader
rules:
- apiGroups: [""] 
  resources: ["pods", "pods/log"]
  verbs: ["get", "watch", "list"]
EOF

参考备注：kubectl get clusterrole admin -oyaml
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-admin: "true"
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: admin
  resourceVersion: "3200959"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/admin
  uid: 7f726a32-7c59-11e9-964d-00163e32602b
rules:
- apiGroups:
  - argoproj.io
  resources:
  - workflows
  - workflows/finalizers
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - configmaps
  - endpoints
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - secrets
  - serviceaccounts
  - services
  - services/proxy
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - ""
  resources:
  - bindings
  - events
  - limitranges
  - namespaces/status
  - pods/log
  - pods/status
  - replicationcontrollers/status
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  verbs:
  - impersonate
- apiGroups:
  - apps
  resources:
  - controllerrevisions
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - statefulsets/scale
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - ingresses
  - networkpolicies
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch
- apiGroups:
  - authorization.k8s.io
  resources:
  - localsubjectaccessreviews
  verbs:
  - create
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  - roles
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

将ClusterRole绑定到当前命名空间中的ServiceAccount（例如，'default'）。

kubectl create rolebinding api-explorer:log-reader --clusterrole log-reader --serviceaccount default:api-explorer

获取 Bearer Token, Certificate and API Server URL

从ServiceAccount的secret中获取token和证书，以便在API请求中使用。，并用jq对json格式化。首先设置SERVICE_ACCOUNT变量。

SERVICE_ACCOUNT=api-explorer

# Get the ServiceAccount's token Secret's name
SECRET=$(kubectl get serviceaccount ${SERVICE_ACCOUNT} -o json | jq -Mr '.secrets[].name | select(contains("token"))')

# Extract the Bearer token from the Secret and decode
TOKEN=$(kubectl get secret ${SECRET} -o json | jq -Mr '.data.token' | base64 -d)

# Extract, decode and write the ca.crt to a temporary location
kubectl get secret ${SECRET} -o json | jq -Mr '.data["ca.crt"]' | base64 -d > /tmp/ca.crt

# Get the API Server location
APISERVER=https://$(kubectl -n default get endpoints kubernetes --no-headers | awk '{ print $2 }')

访问API

通过 /openapi/v2 查看API说明：

curl -s $APISERVER/openapi/v2  --header "Authorization: Bearer $TOKEN" --cacert /tmp/ca.crt | less

示例：获取pod日志

要获取pod的日志，请先列出所有pod。使用jq 根据 .items[].metadata.name 来查询

curl -s $APISERVER/api/v1/namespaces/default/pods/ --header "Authorization: Bearer $TOKEN" --cacert /tmp/ca.crt | jq -rM '.items[].metadata.name'

 获取指定得到pod

curl -s $APISERVER/api/v1/namespaces/default/pods/example-python-python-75f5b5dcff-zvwwx/log  --header "Authorization: Bearer $TOKEN" --cacert /tmp/ca.crt

到此，你可以通过API文档获取更多信息。

排错

有时在自己的环境上使用curl 时可能会出现以下问题：

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "namespace \"default\" is forbidden: User \"system:serviceaccount:default:default\" cannot get namespace/pods at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "name": "default",
    "kind": "namespace"
  },
  "code": 403
}

很显然，没权限。这是因为要么TOKEN，要么ca.crt没获取正确。请根据上述的过程将指定的ServiceAccount对应的secret中的TOKEN和证书（ca.crt）。另外 kubectl get secret出来的是base64加密后的，kubectl describe secret 获取的是不加密的。