Accessing Kubelet API

  • If --anonymous-auth is turned off, you will see a 401 Unauthorized response.
  • If --anonymous-auth is true and --authorization-mode is Webhook you’ll see 403 Forbidden response with message Forbidden (user=system:anonymous, verb=get, resource=nodes, subresource=proxy)
  • If --anonymous-auth is true and --authorization-mode is AlwaysAllow you’ll see a list of pods.
  • --port int32 The port for the Kubelet to serve on. (default 10250)
  • --read-only-port int32 The read-only port for the Kubelet to serve on with no authentication/authorization (set to 0 to disable) (default 10255)

API endpoints

  • /pods - lists running pods
  • /exec - runs a command in a container and returns a link to view the output.
  • Other API endpoints not relevant to this post allow port forwarding, fetching logs and viewing metrics.

Authorization Token

## kubelet api
kubectl create sa kubelet-api-test
kubectl create clusterrolebinding kubelet-api-test --clusterrole=system:kubelet-api-admin --serviceaccount=default:kubelet-api-test
SECRET=$(kubectl get secrets | grep kubelet-api-test | awk '{print $1}')
TOKEN=$(kubectl describe secret ${SECRET} | grep -E '^token' | awk '{print $2}')
echo ${TOKEN}


curl -Ssk --header "Authorization: Bearer ${TOKEN}"
curl -Ssk https://localhost:10250/pods/
curl http://localhost:10255/pods
curl http://localhost:10255/stats/summary
curl http://localhost:10255/metrics
# Running Commands in Containers
curl -skv -X POST -H "X-Stream-Protocol-Version:" -H "X-Stream-Protocol-Version:" "https://localhost:10250/exec/<namespace>/<pod name>/<container name>/?command=touch&command=hello_world&input=1&output=1&tty=1"
curl -Gks https://worker:10250/exec/{namespace}/{pod}/{container} -d 'input=1' -d 'output=1' -d 'tty=1' -d 'command=ls' -d 'command=/'
curl -Gks https://worker:10250/exec/kube-system/tiller-797d1b1234-gb6qt/tiller -d 'input=1' -d 'output=1' -d 'tty=1' -d 'command=ls' -d 'command=/'