Kubernetes API Server Explained

 

Kubernetes API Server Explained

The kube-apiserver is the core component of a Kubernetes cluster, serving as the central hub that exposes the Kubernetes API.

It is designed to be highly scalable, capable of handling a large number of concurrent requests efficiently.

End users, and other cluster components, talk to the cluster via the API server. Very rarely monitoring systems and third-party services may talk to API servers to interact with the cluster.

So when you use kubectl to manage the cluster, at the backend you are actually communicating with the API server through HTTP REST APIs. API server uses gRPC to talk to the etcd component.

All communication between the API server and other components within the cluster is encrypted using TLS (Transport Layer Security) to ensure secure access and prevent unauthorized interventions in the cluster's operations.


⚠️
Note: If you're new to Kubernetes, the information below might be challenging to grasp at first. However, with hands-on experience, it will start to make sense.

Kubernetes api-server is responsible for the following.

  1. API management: Exposes the cluster API endpoint (REST) and handles all API requests. The API is version and it supports multiple API versions simultaneously.

    The API request could be internal or from external users, K8s SDKs, third party apps etc.
  2. Authentication: The API server supports several authentication methods such as client certificates, bearer tokens, and HTTP Basic Authentication.
  3. Authorization: Once the API server has authenticated a request, it evaluates the request against its authorization policies. API server used Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC) for authorization.
  4. Processing API requests and validating data for the API objects like pods, services, etc. (Validation and Mutation Admission controllers).

    For example If you try to create a pod with invalid memory limits (e.g., specifying memory as "1TB" instead of "1024Gi"), the API server's admission controllers will reject this request, preventing invalid configurations from entering the system.
  5. It is the only component that communicates with etcd.
  6. api-server coordinates all the processes between the control plane and worker node components.
  7. The API server also supports watching resources for changes. For example, clients can establish a watch on specific resources and receive real-time notifications when those resources are created, modified, or deleted.

apiserver proxy

By default services running inide the cluster are not accible outside the cluster unless it is exposed using NodePorts or LoadBalancer services.

There are use cases where a administraator or a develper need to access these inernal services that are not exposed outside the cluster. (administrative tasks or debugging)

For this use case, api-server has a built-in apiserver proxy. It is part of the API server process. It is primarily used to enable access to ClusterIP services from outside the cluster

You can start the API server proxy using the following command.

kubectl proxy --port=8080

API Server Aggregation Layer

API server contians an aggreagation layer which allows you to extend Kubernetes API to create custom APIs resources and controllers which are not natively available in Kubernetes.

A real world example is, the Prometheus Adapter provides a custom API that extends Kubernetes to expose custom metrics stored in Prometheus. This API is served under the path /apis/custom.metrics.k8s.io/v1beta1.

This setup allows Kubernetes users to make autoscaling decisions based on application-specific metrics that are more relevant to the application's performance and health, rather than relying solely on general system metrics like CPU and memory usage.

Security Note: To reduce the cluster attack surface, it is important to secure the API server. The Shadowserver Foundation has conducted an experiment that discovered 380 000 publicly accessible Kubernetes API servers."

Comments

Post a Comment

Popular posts from this blog

etcd in Kubernetes: A Quick Guide

Image
  Kubernetes is a complex distributed system that requires a robust and efficient distributed database to function smoothly. This is where etcd comes into play. What is etcd? etcd is the backbone of Kubernetes, acting both as a backend service discovery tool and a key-value database. Often referred to as the  "brain"  of the Kubernetes cluster, etcd is an open-source, strongly consistent, distributed key-value store. But what exactly does that mean? Strong Consistency:  In a distributed system, when an update is made to one node, strong consistency ensures that all other nodes in the cluster are updated immediately. This guarantees that all nodes reflect the same data at any given time. Distributed Nature:  etcd is designed to operate across multiple nodes as a cluster, without compromising on consistency. This distributed architecture ensures that etcd remains highly available and resilient. Key-Value Store:  etcd is a non-relational database that stores d...
Read more

Kubernetes Basics

Beyond YAML: Core IT for Kubernetes When it comes to learning Kubernetes, many people focus on getting the YAML files deployed and think, "Great, it worked. I'm good to go." However, if you want to learn Kubernetes the right way, it's important to have a solid understanding of core IT fundamentals. While it's possible to learn Kubernetes without this knowledge, as DevOps engineers, it's important to go beyond merely deploying YAML files. A comprehensive understanding of the entire system is essential for effective troubleshooting and designing more robust solutions. I'm not saying you can't get by without this foundation, but knowing these areas will give you a significant edge: In this guide, I'll provide a high-level overview of the following core concepts. Containers Distributed system Authentication & Authorization Key Value Store API YAML Service Discovery Networking Basis Linux While it's not possible to cover every topic in detail, y...
Read more