Improve "authenticating to k8s api from a pod" docs #6259
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
Deploy preview ready! Built with commit 5fc5733 https://deploy-preview-6259--kubernetes-io-master-staging.netlify.com |
There was a problem hiding this comment.
This definitely clarifies that client libraries are preferred much better.
I personally still strongly believe that the release process should be amended to produce a kubectl container image if kubectl proxy is going to remain as the recommended way to talk to the API from pods for languages without an official client, but I don't think that should get in the way of making this change.
|
@clhodapp I have a discussion about it at https://groups.google.com/d/msg/kubernetes-sig-cli/yUkt_ZkAAY0/WQ3NVRLyCwAJ feel free to participate if you support the idea we should have a kubectl-only image. |
|
@ahmetb FYI, the Travis CI error has been fixed. Please rebase or update your branch. Thx! |
|
Rebased. |
| - use the Go client library, and create a client using the `rest.InClusterConfig()` and `kubernetes.NewForConfig()` functions. | ||
| They handle locating and authenticating to the apiserver. [example](https://git.k8s.io/client-go/examples/in-cluster-client-configuration/main.go) | ||
| - if you would like to query the API without an official client library, you can run `kubectl proxy` | ||
| as one of the containers in the pod (i.e. sidecar container), or as a background process within a container. |
There was a problem hiding this comment.
or:
as the [command](/docs/tasks/inject-data-application/define-command-argument-container/) for a container
``
There was a problem hiding this comment.
actually rephrasing this to remove "background process" recommendation and just saying sidecar proxy with kubectl proxy as the command.
Helps with kubernetes/kubernetes#22121. Also removing kubectl-container example as it's staged for removal and not very useful. Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
| will be routed to an apiserver. | ||
| The easiest way to use the Kubernetes API from a Pod is to use | ||
| one of the official [client libraries](/docs/reference/client-libraries/). These | ||
| libraries can automatically discover the apiserver and authenticate automatically. | ||
|
|
There was a problem hiding this comment.
I don't think you need the second "automatically".
... can automatically discover the API server and authenticate.
| The recommended way to authenticate to the apiserver is with a | ||
| [service account](/docs/user-guide/service-accounts) credential. By kube-system, a pod | ||
| While running in a Pod, the Kubernetes apiserver is accessible via a Service named | ||
| `kubernetes` in the `default` namespace. Therefore, Pods can use the |
There was a problem hiding this comment.
the apiserver -> the API server (several instances)
There was a problem hiding this comment.
We currently don't have guidance on what it should be, hence my confusion.
https://www.google.com/search?q=site%3Akubernetes.io+"apiserver"&oq=site%3Akubernetes.io+"apiserver"
apiserver is indeed a Kubernetes term and it refers to the kube-apiserver component, but in this case I think we're trying to say "the API server"
| as the [command](/docs/tasks/inject-data-application/define-command-argument-container/) | ||
| of a new sidecar container in the Pod. This way, `kubectl proxy` will authenticate | ||
| to the API and expose it on the `localhost` interface of the Pod, so that other containers | ||
| in the Pod can use it directly. |
There was a problem hiding this comment.
Start bullet items with caps.
- Use one ...
- If you would like ...
|
|
||
| - use one of the official [client libraries](/docs/reference/client-libraries/) | ||
| as they handle API host discovery and authentication out of the box. | ||
| For Go client, the `rest.InClusterConfig()` function assists with this. |
There was a problem hiding this comment.
out of the box -> automatically
For Go client -> For the Go client
Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>
|
@ahmetb Are you ready for me to merge this? |
Helps with kubernetes/kubernetes#22121.
Also removing the link to kubectl-container example which is staged for removal.
This change is