Accessing the Kubernetes API from a Pod

    You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using or you can use one of these Kubernetes playgrounds:

    Accessing the API from within a Pod

    When accessing the API from within a Pod, locating and authenticating to the API server are slightly different to the external client case.

    The easiest way to use the Kubernetes API from a Pod is to use one of the official client libraries. These libraries can automatically discover the API server and authenticate.

    From within a Pod, the recommended ways to connect to the Kubernetes API are:

    • For a Python client, use the official Python client library. The config.load_incluster_config() function handles API host discovery and authentication automatically. See .

    • There are a number of other libraries available, please refer to the Client Libraries page.

    In each case, the service account credentials of the Pod are used to communicate securely with the API server.

    While running in a Pod, the Kubernetes apiserver is accessible via a Service named kubernetes in the default namespace. Therefore, Pods can use the kubernetes.default.svc hostname to query the API server. Official client libraries do this automatically.

    If available, a certificate bundle is placed into the filesystem tree of each container at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, and should be used to verify the serving certificate of the API server.

    Finally, the default namespace to be used for namespaced API operations is placed in a file at in each container.

    If you would like to query the API without an official client library, you can run kubectl proxy as the of a new sidecar container in the Pod. This way, kubectl proxy will authenticate to the API and expose it on the localhost interface of the Pod, so that other containers in the Pod can use it directly.

    It is possible to avoid using the kubectl proxy by passing the authentication token directly to the API server. The internal certificate secures the connection.

    1. {
    2.   "kind": "APIVersions",
    3.   "versions": [
    5.   "serverAddressByClientCIDRs": [
    6.     {
    7.       "clientCIDR": "0.0.0.0/0",
    8.       "serverAddress": "10.0.1.149:443"
    9.     }
    11. }