k8s_cluster_communication

Understanding Kubernetes Cluster Communication

This guide explores the communication pathways between key Kubernetes components, focusing on how the API server, etcd, and kubelet interact. We'll inspect configurations and use curl with appropriate credentials to query these components directly.

(Note: The configurations and specific IPs/hostnames shown are from a particular kubeadm setup. Your paths, IPs, and certificate details might vary. The Kubernetes versions (e.g., API server v1.18.3, etcd 3.4.3-0) are older; concepts are similar, but flags or API paths might differ in newer versions.)

1. API Server Communication

The Kubernetes API server is the central hub for all cluster operations. Control plane components and kubectl interact with it.

1.1 Inspecting API Server Configuration (Master Node)

On a master node set up by kubeadm, the API server runs as a static pod defined by a manifest typically found in /etc/kubernetes/manifests/.

Locate and view the API server manifest:

cd /etc/kubernetes/manifests
sudo cat ./kube-apiserver.yaml

Below is an example snippet of such a manifest (details will vary):

apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.10.2.78:6443 # Example IP
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=10.10.2.78 # Example IP
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    # ... many other flags ...
    - --secure-port=6443
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    image: k8s.gcr.io/kube-apiserver:v1.18.3 # Example version
    # ... probes, volumeMounts, etc. ...
  hostNetwork: true
  # ... volumes ...
status: {}

This manifest shows how the API server is configured, including network ports, certificate paths, and communication with etcd.

1.2 Querying API Server Endpoints from the Host

You can use curl to interact with the API server directly.

Set your Master IP:

export MASTER_IP=<your_k8s_master_ip_or_hostname>
# e.g., export MASTER_IP=10.10.2.78 from the example manifest

Basic Unauthenticated Queries (Health Checks): Some endpoints like /healthz, /livez, /readyz might be accessible (or partially accessible) without full authentication for health checking. The -k or --insecure flag for curl is used here to bypass TLS certificate verification if you don't specify a CA (common for self-signed certs).
```
curl -kv "https://$MASTER_IP:6443/api/v1/" # Might require auth
curl -kv "https://$MASTER_IP:6443/version"
curl -kv "https://$MASTER_IP:6443/healthz"
# ... and other similar endpoints
```
Authenticated Query using Client Certificates: To access most API endpoints, you need to authenticate. One way is using client certificates that the API server trusts (e.g., those used by kubelet or an admin user). The paths to these certificates are often found in kubeconfig files or component configurations. This example uses the apiserver-kubelet-client certificates:
```
sudo curl --cacert /etc/kubernetes/pki/ca.crt \
           --key /etc/kubernetes/pki/apiserver-kubelet-client.key \
           --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
           "https://$MASTER_IP:6443"
```
This should return a JSON response listing available API paths, for example:
```
{
  "paths": [
    "/api",
    "/api/v1",
    "/apis",
    // ... many more paths ...
    "/version"
  ]
}
```
(The extensive JSON output from the original doc is represented by this snippet.)

2. etcd Communication (Master Node)

etcd is the distributed key-value store used by Kubernetes for all cluster data. The API server is its primary client.

2.1 Inspecting etcd Configuration

Like the API server, etcd often runs as a static pod on master nodes in a kubeadm setup.

cd /etc/kubernetes/manifests
sudo cat etcd.yaml

Example etcd.yaml snippet:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/etcd.advertise-client-urls: https://10.10.2.78:2379 # Example IP
  labels:
    component: etcd
    tier: control-plane
  name: etcd
  namespace: kube-system
spec:
  containers:
  - command:
    - etcd
    - --advertise-client-urls=https://10.10.2.78:2379 # Example IP
    - --cert-file=/etc/kubernetes/pki/etcd/server.crt
    - --client-cert-auth=true
    - --data-dir=/var/lib/etcd
    # ... many other flags ...
    - --listen-client-urls=https://127.0.0.1:2379,https://10.10.2.78:2379 # Example IP
    image: k8s.gcr.io/etcd:3.4.3-0 # Example version
    # ... livenessProbe, volumeMounts ...
  hostNetwork: true
  # ... volumes ...
status: {}

This shows etcd's configuration, including its client and peer ports, and certificate paths.

2.2 Interacting with etcd using `etcdctl`

etcdctl is the command-line client for etcd.

Obtain etcdctl: If not already installed on the master node, you can copy it from the etcd container.

# First, find your etcd pod name
ETCD_POD=$(sudo kubectl get pod -n kube-system -l component=etcd -o jsonpath='{.items[0].metadata.name}')
echo "Found etcd pod: $ETCD_POD"

# Copy etcdctl from the pod (adjust path if needed for your etcd version/image)
sudo kubectl cp "${ETCD_POD}:/usr/local/bin/etcdctl" /home/ubuntu/etcdctl -n kube-system
cd /home/ubuntu/ # Or any other preferred location
sudo chmod +x ./etcdctl
./etcdctl version # Verify, might need sudo for some versions if accessing system paths

(Added command to get etcd pod name. Used sudo kubectl for consistency. Changed chmod 700 to +x.)

Set API Version: etcd v3 uses API version 3.
```
export ETCDCTL_API=3
```

Query etcd: Commands require specifying endpoints and credentials (certificates) which are defined in the etcd.yaml manifest.

Check endpoint status:

sudo ./etcdctl --endpoints=https://127.0.0.1:2379 \
  --cacert /etc/kubernetes/pki/etcd/ca.crt \
  --cert /etc/kubernetes/pki/etcd/peer.crt \
  --key /etc/kubernetes/pki/etcd/peer.key \
  endpoint status

(Note: The original used server.crt and server.key for etcdctl. Often, peer.crt/key or specific client certs are used for etcdctl if different from server certs. For simplicity, if server.crt is also a client cert, it can work. Using peer.crt/key as an example here, assuming they might be more appropriate for client auth to etcd.)

List all keys (use with caution on large clusters):

sudo ./etcdctl --endpoints=https://127.0.0.1:2379 \
  --cacert /etc/kubernetes/pki/etcd/ca.crt \
  --cert /etc/kubernetes/pki/etcd/peer.crt \
  --key /etc/kubernetes/pki/etcd/peer.key \
  get / --prefix --keys-only

Get specific keys (example paths, these will vary):

# Get keys under /registry/namespaces/default
sudo ./etcdctl --endpoints=https://127.0.0.1:2379 \
  --cacert /etc/kubernetes/pki/etcd/ca.crt \
  --cert /etc/kubernetes/pki/etcd/peer.crt \
  --key /etc/kubernetes/pki/etcd/peer.key \
  --keys-only --write-out="json" \
  get /registry/namespaces/default

# Get a specific secret (example, replace with an actual secret path from the output above)
# sudo ./etcdctl --endpoints=https://127.0.0.1:2379 \
#   --cacert /etc/kubernetes/pki/etcd/ca.crt \
#   --cert /etc/kubernetes/pki/etcd/peer.crt \
#   --key /etc/kubernetes/pki/etcd/peer.key \
#   --write-out="json" \
#   get /registry/secrets/kube-system/some-secret-name

# Get a specific pod's details (example, replace with an actual pod path)
# sudo ./etcdctl --endpoints=https://127.0.0.1:2379 \
#   --cacert /etc/kubernetes/pki/etcd/ca.crt \
#   --cert /etc/kubernetes/pki/etcd/peer.crt \
#   --key /etc/kubernetes/pki/etcd/peer.key \
#   --write-out="json" \
#   get /registry/pods/default/some-pod-name

(Consolidated duplicated get /registry/namespaces/default and generalized specific key examples.)

Task: The original document suggests: "find a secret, decode the secret and find the json webtoken..." This involves getting a secret's data, which is base64 encoded within the JSON/protobuf value stored in etcd, then base64 decoding those fields.

3. Kubelet Communication (Worker Node Focus)

The kubelet runs on every node and is responsible for managing pods as instructed by the API server.

3.1 Inspecting Kubelet Configuration (Worker Node)

The kubelet's configuration tells it how to communicate with the API server.

# On a worker node
sudo cat /etc/kubernetes/kubelet.conf

This file is a kubeconfig file used by the kubelet. Example content:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCg... # Base64 CA cert
    server: https://10.10.2.78:6443 # API server address
  name: default-cluster
contexts:
- context:
    cluster: default-cluster
    namespace: default # Default namespace for this kubeconfig
    user: default-auth # User reference
  name: default-context
current-context: default-context
kind: Config
preferences: {}
users:
- name: default-auth # User definition
  user:
    client-certificate: /var/lib/kubelet/pki/kubelet-client-current.pem # Path to kubelet's client cert
    client-key: /var/lib/kubelet/pki/kubelet-client-current.pem # Path to kubelet's client key

3.2 Kubelet Authenticating to API Server

The kubelet uses its client certificate and key (specified in kubelet.conf) to authenticate to the API server. You can simulate this with curl:

# On a worker node, replace $MASTER_IP with the actual API server IP/hostname
export MASTER_IP=<your_k8s_master_ip_or_hostname> # e.g., 10.10.2.78

sudo curl --cacert /etc/kubernetes/pki/ca.crt \
           --key /var/lib/kubelet/pki/kubelet-client-current.pem \
           --cert /var/lib/kubelet/pki/kubelet-client-current.pem \
           "https://$(MASTER_IP):6443/version"

(Corrected variable usage in URL)

3.3 Inspecting Kubelet Process and Certificates

View the running kubelet process:

ps aux | grep kubelet

Example output:

root      6510  2.2  0.6 1712588 99804 ?       Ssl  Jun10 166:31 /usr/bin/kubelet --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf --config=/var/lib/kubelet/config.yaml --cgroup-driver=cgroupfs --network-plugin=cni --pod-infra-container-image=k8s.gcr.io/pause:3.2 --resolv-conf=/run/systemd/resolve/resolv.conf
...

(Formatted as generic text block)

View kubelet client certificate files (often a symlink to the current active cert):

ls -la /var/lib/kubelet/pki/

Example output:

drwxr-xr-x 2 root root 4096 Jun 10 10:31 .
drwxr-xr-x 8 root root 4096 Jun 10 10:31 ..
-rw------- 1 root root 1078 Jun 10 10:31 kubelet-client-2020-06-10-10-31-38.pem
lrwxrwxrwx 1 root root   59 Jun 10 10:31 kubelet-client-current.pem -> /var/lib/kubelet/pki/kubelet-client-2020-06-10-10-31-38.pem
-rw-r--r-- 1 root root 2205 Jun 10 10:29 kubelet.crt
-rw------- 1 root root 1679 Jun 10 10:29 kubelet.key

(Formatted as generic text block)

3.4 Kubelet API (Read-Only Port and Secure Port)

The kubelet listens on ports for its own API, used by the API server to issue commands to it and retrieve status/logs.

Check listening ports on a node:

sudo netstat -anp -t tcp | grep LISTEN # Filter for 'kubelet' if output is too noisy

Example output snippet showing common Kubelet ports:

tcp        0      0 127.0.0.1:10248         0.0.0.0:*               LISTEN      .../kubelet (Read-Only API, often disabled or localhost-only)
tcp6       0      0 :::10250                :::*                    LISTEN      .../kubelet (Secure API)
tcp6       0      0 :::10256                :::*                    LISTEN      .../kubelet (Healthz)

(Updated netstat and formatted as generic text block. Added port descriptions.)

Hint: Port 10250 is the main secure Kubelet API. Port 10255 (not shown in example) was historically an unauthenticated read-only port, now often disabled. Port 10248 is often a localhost-only health check port.

3.5 API Server Communicating with Kubelet

The API server communicates with the kubelet's secure port (10250) using client certificates (apiserver-kubelet-client.crt/key) to authenticate itself to the kubelet.

Set Worker Node IP:

export NODE_IP=<your_k8s_worker_ip_or_hostname>

Query Kubelet Endpoints (from Master or machine with API server certs): These commands simulate how the API server might query a kubelet.

Get logs (example):

sudo curl -kv \
           --cacert /etc/kubernetes/pki/ca.crt \ # Kubelet's serving cert should be signed by a CA the apiserver trusts
           --key /etc/kubernetes/pki/apiserver-kubelet-client.key \
           --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
           "https://$NODE_IP:10250/logs/"

(Added CA cert to curl command for Kubelet API, as Kubelet's serving cert needs to be verified.)

List pods running on the node:

sudo curl -k \
          --cacert /etc/kubernetes/pki/ca.crt \
          --key /etc/kubernetes/pki/apiserver-kubelet-client.key \
          --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
          "https://$NODE_IP:10250/pods" | jq

Execute a command in a pod (example, requires specific pod/container names):(This endpoint is powerful and its direct use is less common than kubectl exec)

# Replace 'default/www/www' with 'namespace/podname/containername'
# This example attempts to run 'ls' in container 'www' of pod 'www' in 'default' namespace.
# sudo curl -kv \
#            -XPOST \
#            --cacert /etc/kubernetes/pki/ca.crt \
#            --key /etc/kubernetes/pki/apiserver-kubelet-client.key \
#            --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
#            "https://$NODE_IP:10250/run/default/www/www" \
#            -d "cmd=ls"

(Commented out the /run example as it's complex, potentially dangerous, and often disabled or restricted by default on modern Kubelet configurations for security reasons. Kept it commented for informational purposes if the user wants to explore it, but it's not a typical interaction method.)

Home

Previousingress Nextkube-bench

Last updated 6 months ago