Accessing the Kubernetes API from a Pod

    You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. It is recommended to run this tutorial on a cluster with at least two nodes that are not acting as control plane hosts. If you do not already have a cluster, you can create one by using or you can use one of these Kubernetes playgrounds:

    Accessing the API from within a Pod

    When accessing the API from within a Pod, locating and authenticating to the API server are slightly different to the external client case.

    The easiest way to use the Kubernetes API from a Pod is to use one of the official client libraries. These libraries can automatically discover the API server and authenticate.

    From within a Pod, the recommended ways to connect to the Kubernetes API are:

    • For a Python client, use the official Python client library. The config.load_incluster_config() function handles API host discovery and authentication automatically. See .

    • There are a number of other libraries available, please refer to the Client Libraries page.

    In each case, the service account credentials of the Pod are used to communicate securely with the API server.

    While running in a Pod, your container can create an HTTPS URL for the Kubernetes API server by fetching the KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT_HTTPS environment variables. The API server’s in-cluster address is also published to a Service named kubernetes in the default namespace so that pods may reference kubernetes.default.svc as a DNS name for the local API server.

    The recommended way to authenticate to the API server is with a service account credential. By default, a Pod is associated with a service account, and a credential (token) for that service account is placed into the filesystem tree of each container in that Pod, at /var/run/secrets/kubernetes.io/serviceaccount/token.

    If available, a certificate bundle is placed into the filesystem tree of each container at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, and should be used to verify the serving certificate of the API server.

    Finally, the default namespace to be used for namespaced API operations is placed in a file at /var/run/secrets/kubernetes.io/serviceaccount/namespace in each container.

    If you would like to query the API without an official client library, you can run kubectl proxy as the command of a new sidecar container in the Pod. This way, kubectl proxy will authenticate to the API and expose it on the localhost interface of the Pod, so that other containers in the Pod can use it directly.

    The output will be similar to this:

    1. {
    3.   "serverAddressByClientCIDRs": [
    4.     {
    5.       "clientCIDR": "0.0.0.0/0",
    6.       "serverAddress": "10.0.1.149:443"
    7.     }
    8.   ]