Kubernetes API Server YAML Deep Dive: What Each Line Means

Kubernetes API Server YAML Deep Dive: What Each Line Means

Chaitanya Sawant Chaitanya Sawant

Chaitanya Sawant

SDE @ LivLong || CKA | CKAD | KCNA || 3x Kubernetes Certified || Docker || Git || NextJs || Remixjs || Nodejs || Typescript

发布日期: 2025年3月7日
+ 关注

The kube-apiserver is the core component of the Kubernetes control plane, acting as the gateway for all cluster operations. It exposes the Kubernetes API, processes REST requests, and validates, authenticates, and authorizes them before updating the cluster state in etcd.

Key functions of the API server:

  • Cluster Gateway: Handles all interactions between users, controllers, and worker nodes.
  • Authentication & Authorization: Ensures secure access using mechanisms like RBAC and certificates.
  • State Management: Reads and writes cluster data in etcd.
  • Scaling & Extensibility: Facilitates communication with controllers, schedulers, and operators.

The API server ensures the cluster remains functional, secure, and responsive, making it the heart of Kubernetes operations.

Below is the example of api-server.yaml 

apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 172.30.1.2:6443
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=172.30.1.2
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-issuer=https://kubernetes.default.svc.cluster.local
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    image: registry.k8s.io/kube-apiserver:v1.31.0
    imagePullPolicy: IfNotPresent
    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 172.30.1.2
        path: /livez
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      timeoutSeconds: 15
    name: kube-apiserver
    readinessProbe:
      failureThreshold: 3
      httpGet:
        host: 172.30.1.2
        path: /readyz
        port: 6443
        scheme: HTTPS
      periodSeconds: 1
      timeoutSeconds: 15
    resources:
      requests:
        cpu: 50m
    startupProbe:
      failureThreshold: 24
      httpGet:
        host: 172.30.1.2
        path: /livez
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      timeoutSeconds: 15
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true
    - mountPath: /etc/ca-certificates
      name: etc-ca-certificates
      readOnly: true
    - mountPath: /etc/kubernetes/pki
      name: k8s-certs
      readOnly: true
    - mountPath: /usr/local/share/ca-certificates
      name: usr-local-share-ca-certificates
      readOnly: true
    - mountPath: /usr/share/ca-certificates
      name: usr-share-ca-certificates
      readOnly: true
  hostNetwork: true
  priority: 2000001000
  priorityClassName: system-node-critical
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  volumes:
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs
  - hostPath:
      path: /etc/ca-certificates
      type: DirectoryOrCreate
    name: etc-ca-certificates
  - hostPath:
      path: /etc/kubernetes/pki
      type: DirectoryOrCreate
    name: k8s-certs
  - hostPath:
      path: /usr/local/share/ca-certificates
      type: DirectoryOrCreate
    name: usr-local-share-ca-certificates
  - hostPath:
      path: /usr/share/ca-certificates
      type: DirectoryOrCreate
    name: usr-share-ca-certificates
status: {}


1. Basic Information

apiVersion: v1
kind: Pod

  • apiVersion: v1 → The Kubernetes API version used for this resource.
  • kind: Pod → Specifies that this resource defines a Pod.

2. Metadata

metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 172.30.1.2:6443
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system

  • annotations → Stores additional metadata. The annotation kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 172.30.1.2:6443 specifies the address where the API server advertises its availability.
  • labels → Key-value pairs used for identifying and grouping resources. component: kube-apiserver → Identifies this as the API server. tier: control-plane → Indicates that this is a control plane component.
  • name: kube-apiserver → The Pod’s name.
  • namespace: kube-system → The Pod runs in the kube-system namespace, reserved for system components.

3. Containers (Main API Server Container)

spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=172.30.1.2
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-issuer=https://kubernetes.default.svc.cluster.local
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key

  • command → Specifies the startup command and arguments for the container. -advertise-address=172.30.1.2 → The API server announces itself on this address. -allow-privileged=true → Enables privileged containers. -authorization-mode=Node,RBAC → Uses Role-Based Access Control (RBAC) and Node authorization. -client-ca-file=/etc/kubernetes/pki/ca.crt → Specifies the CA certificate for validating client requests. -enable-admission-plugins=NodeRestriction → Enables the NodeRestriction admission controller. -enable-bootstrap-token-auth=true → Allows bootstrap token authentication. -etcd-servers=https://127.0.0.1:2379 → Specifies the etcd database server for storing cluster state. -service-cluster-ip-range=10.96.0.0/12 → Defines the range of IPs for Kubernetes services. -tls-cert-file=/etc/kubernetes/pki/apiserver.crt → Specifies the TLS certificate for secure API access.

4. Image and Image Pull Policy

    image: registry.k8s.io/kube-apiserver:v1.31.0
    imagePullPolicy: IfNotPresent

  • image → Uses the Kubernetes API server image from the k8s registry.
  • imagePullPolicy: IfNotPresent → Only pulls the image if it is not already available locally.

5. Health Probes

    livenessProbe:
      failureThreshold: 8
      httpGet:
        host: 172.30.1.2
        path: /livez
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      timeoutSeconds: 15

  • livenessProbe → Checks if the API server is alive. Sends an HTTPS request to /livez at 172.30.1.2:6443.

    readinessProbe:
      failureThreshold: 3
      httpGet:
        host: 172.30.1.2
        path: /readyz
        port: 6443
        scheme: HTTPS
      periodSeconds: 1
      timeoutSeconds: 15

  • readinessProbe → Checks if the API server is ready to accept traffic.

    startupProbe:
      failureThreshold: 24
      httpGet:
        host: 172.30.1.2
        path: /livez
        port: 6443
        scheme: HTTPS
      initialDelaySeconds: 10
      periodSeconds: 10
      timeoutSeconds: 15

  • startupProbe → Used to determine when the API server has fully started.

6. Volumes

    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: ca-certs
      readOnly: true

  • Mounts various security-related certificates into the container for authentication.

  volumes:
  - hostPath:
      path: /etc/ssl/certs
      type: DirectoryOrCreate
    name: ca-certs

  • hostPath → Maps files from the host machine into the container.

7. Security Settings

  hostNetwork: true

  • hostNetwork: true → The Pod shares the host network stack, which is necessary for API server networking.

  priority: 2000001000
  priorityClassName: system-node-critical

  • priorityClassName: system-node-critical → Ensures this Pod is treated as highly critical.

  securityContext:
    seccompProfile:
      type: RuntimeDefault

  • seccompProfile: RuntimeDefault → Applies the default security policy.

Summary of above content

Above YAML file defines the Kubernetes API server Pod, which:

  • Runs in the control plane.
  • Uses RBAC and TLS for security.
  • Connects to etcd for storing cluster state.
  • Performs health checks to ensure reliability.
  • Mounts certificates for secure communication.

要查看或添加评论,请登录

Chaitanya Sawant的更多文章

社区洞察