Skip to content

Instantly share code, notes, and snippets.

@lizrice

lizrice/kubelet-api.md

Last active March 15, 2023 12:13
Show Gist options
  • Star 11 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
  • Save lizrice/c32740fac51db2a5518f06c3dae4944f to your computer and use it in GitHub Desktop.
Save lizrice/c32740fac51db2a5518f06c3dae4944f to your computer and use it in GitHub Desktop.
Download ZIP
Checking Kubelet API access
Raw
kubelet-api.md

Accessing Kubelet API

curl -sk https://localhost:10250/pods/
  • If --anonymous-auth is turned off, you will see a 401 Unauthorized response.
  • If --anonymous-auth is true and --authorization-mode is Webhook you'll see 403 Forbidden response with message Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy)
  • If --anonymous-auth is true and --authorization-mode is AlwaysAllow you'll see a list of pods.

Execing into a pod

curl -skv -X POST -H "X-Stream-Protocol-Version: v2.channel.k8s.io" -H "X-Stream-Protocol-Version: channel.k8s.io" "https://localhost:10250/exec/<namespace>/<pod name>/<container name>/?command=touch&command=hello_world&input=1&output=1&tty=1"

This gives a 302 Found response on v1.9 but execing into the pod directly shows no evidence of the file being created. On v1.11 there was an Upgrade request required response - maybe TLS issue?

Changing kubelet settings

Edit /etc/systemd/system/kubelet.service.d/10-kubeadm.conf

sudo systemctl daemon-reload
sudo systemctl restart kubelet.service

Or, if the settings are in /var/lib/kubelet/config.yaml, edit the config file and then sudo systemctl restart kubelet.service.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment