Kubernetes API overview
REST apis are the infrastructure of Kubernetes. All operations and communication between components, as well as external user commands, are REST API calls handled by API Server. Therefore, all resources in the Kubernetes platform are treated as API objects and have corresponding definitions in the API.
API version control
To eliminate fields or reorganize resource representations, Kubernetes supports multiple API versions, each under a different API path. For example: / API /v1 or /apis/extensions/v1beta1.
Versioning is configured at the API level rather than the resource or field level:
- Ensure that the API presents a clear and consistent view of system resources and behavior.
- Allows control of access to dead apis and/or experimental apis. Both JSON and Protobuf serialization schemas follow these guidelines when schema changes occur. The following instructions apply to both formats.
Note: API version and software version are indirectly related. API and Release recommendations describe the relationship between API versions and software versions. Different API versions represent different levels of stability and support. You can find more information about the conditions at each level in the API Change documentation.
Below is a summary of each level:
- Alpha:
- The version name contains alpha (for example, v1alpha1).
- The software may contain errors. Enabling functionality may expose errors. By default, functionality may be disabled.
- Support for features may be removed at any time without notice.
- In future software releases, the API may change in incompatible ways without notice.
- Due to the higher risk of error and lack of long-term support, it is recommended to use this software only in short-term test clusters.
- Beta:
- The version name contains beta (for example, v2beta3).
- The software has been fully tested. Enable functionality is considered safe. The function is enabled by default.
- Although details may change, the functionality will not be scrapped.
- In subsequent Beta or stable releases, the schema and/or semantics of the object may change in incompatible ways. When this happens, migration instructions are provided. You may need to delete, edit, and recreate API objects during migration. The editing process may require some thought. For applications that rely on this feature, downtime may be required.
- This software is recommended for non-business-critical use only, as incompatible changes may occur in subsequent releases. This restriction can be relaxed if you have multiple clusters that can be upgraded independently.
Note: Please try out the Beta features and provide feedback. It may not be practical to make changes after a feature is out of Beta.
- Stable version:
- The version name is vX, where X is an integer.
- Stable versions of features continue to appear in many subsequent releases of software.
API structure composition
https://127.0.0.1:6443/api/v1/pods
Copy the code| explain | composition |
|---|---|
| API Server address | https://127.0.0.1:6443/ |
| Core API group | api/v1 |
| API Object | pods |
https://127.0.0.1:6443/apis/extensions/v1beta/deployments
Copy the code| explain | composition |
|---|---|
| API Server address | https://127.0.0.1:6443/ |
| Core API group | apis |
| API Group name | extensions |
| API Version | v1beta |
| API Object | deployments |
API Version iteration
The Alpha level v1alpha1 - > v1alpha2 -- >... -- >v1alphaN Beta level v1beta1 -- >v1beta2 Stable level v1Copy the codeAPI Version List
APIgroup APIgroup is part of the APIVersion, apiVersion = APIgroup /version>>kubectl api-versionadmissionregistration.k8s.io/v1 admissionregistration.k8s.io/v1beta1 apiextensions.k8s.io/v1 apiextensions.k8s.io/v1beta1 apiregistration.k8s.io/v1 apiregistration.k8s.io/v1beta1 apps/v1 authentication.k8s.io/v1 authentication.k8s.io/v1beta1 authorization.k8s.io/v1 authorization.k8s.io/v1beta1 autoscaling/v1 autoscaling/v2beta1 autoscaling/v2beta2 batch/v1 batch/v1beta1 certificates.k8s.io/v1beta1 coordination.k8s.io/v1 coordination.k8s.io/v1beta1 discovery.k8s.io/v1beta1 events.k8s.io/v1beta1 extensions/v1beta1 networking.k8s.io/v1 networking.k8s.io/v1beta1 node.k8s.io/v1beta1 policy/v1beta1 rbac.authorization.k8s.io/v1 rbac.authorization.k8s.io/v1beta1 scheduling.k8s.io/v1 scheduling.k8s.io/v1beta1 storage.k8s.io/v1 Storage.k8s. IO /v1beta1 V1 core: Generally, it can be set to nullCopy the codeThe API list figure
Resources
$ kubectl api-resources -o wide
NAME SHORTNAMES APIGROUP NAMESPACED KIND VERBS
bindings true Binding [create]
componentstatuses cs false ComponentStatus [get list]
configmaps cm true ConfigMap [create delete deletecollection get list patch update watch]
endpoints ep true Endpoints [create delete deletecollection get list patch update watch]
events ev true Event [create delete deletecollection get list patch update watch]
limitranges limits true LimitRange [create delete deletecollection get list patch update watch]
namespaces ns false Namespace [create delete get list patch update watch]
nodes no false Node [create delete deletecollection get list patch update watch]
persistentvolumeclaims pvc true PersistentVolumeClaim [create delete deletecollection get list patch update watch]
persistentvolumes pv false PersistentVolume [create delete deletecollection get list patch update watch]
pods po true Pod [create delete deletecollection get list patch update watch]
podtemplates true PodTemplate [create delete deletecollection get list patch update watch]
replicationcontrollers rc true ReplicationController [create delete deletecollection get list patch update watch]
resourcequotas quota true ResourceQuota [create delete deletecollection get list patch update watch]
secrets true Secret [create delete deletecollection get list patch update watch]
serviceaccounts sa true ServiceAccount [create delete deletecollection get list patch update watch]
services svc true Service [create delete get list patch update watch]
mutatingwebhookconfigurations admissionregistration.k8s.io false MutatingWebhookConfiguration [create delete deletecollection get list patch update watch]
validatingwebhookconfigurations admissionregistration.k8s.io false ValidatingWebhookConfiguration [create delete deletecollection get list patch update watch]
customresourcedefinitions crd,crds apiextensions.k8s.io false CustomResourceDefinition [create delete deletecollection get list patch update watch]
apiservices apiregistration.k8s.io false APIService [create delete deletecollection get list patch update watch]
controllerrevisions apps true ControllerRevision [create delete deletecollection get list patch update watch]
daemonsets ds apps true DaemonSet [create delete deletecollection get list patch update watch]
deployments deploy apps true Deployment [create delete deletecollection get list patch update watch]
replicasets rs apps true ReplicaSet [create delete deletecollection get list patch update watch]
statefulsets sts apps true StatefulSet [create delete deletecollection get list patch update watch]
tokenreviews authentication.k8s.io false TokenReview [create]
localsubjectaccessreviews authorization.k8s.io true LocalSubjectAccessReview [create]
selfsubjectaccessreviews authorization.k8s.io false SelfSubjectAccessReview [create]
selfsubjectrulesreviews authorization.k8s.io false SelfSubjectRulesReview [create]
subjectaccessreviews authorization.k8s.io false SubjectAccessReview [create]
horizontalpodautoscalers hpa autoscaling true HorizontalPodAutoscaler [create delete deletecollection get list patch update watch]
cronjobs cj batch true CronJob [create delete deletecollection get list patch update watch]
jobs batch true Job [create delete deletecollection get list patch update watch]
certificatesigningrequests csr certificates.k8s.io false CertificateSigningRequest [create delete deletecollection get list patch update watch]
leases coordination.k8s.io true Lease [create delete deletecollection get list patch update watch]
endpointslices discovery.k8s.io true EndpointSlice [create delete deletecollection get list patch update watch]
events ev events.k8s.io true Event [create delete deletecollection get list patch update watch]
ingresses ing extensions true Ingress [create delete deletecollection get list patch update watch]
ingresses ing networking.k8s.io true Ingress [create delete deletecollection get list patch update watch]
networkpolicies netpol networking.k8s.io true NetworkPolicy [create delete deletecollection get list patch update watch]
runtimeclasses node.k8s.io false RuntimeClass [create delete deletecollection get list patch update watch]
poddisruptionbudgets pdb policy true PodDisruptionBudget [create delete deletecollection get list patch update watch]
podsecuritypolicies psp policy false PodSecurityPolicy [create delete deletecollection get list patch update watch]
clusterrolebindings rbac.authorization.k8s.io false ClusterRoleBinding [create delete deletecollection get list patch update watch]
clusterroles rbac.authorization.k8s.io false ClusterRole [create delete deletecollection get list patch update watch]
rolebindings rbac.authorization.k8s.io true RoleBinding [create delete deletecollection get list patch update watch]
roles rbac.authorization.k8s.io true Role [create delete deletecollection get list patch update watch]
priorityclasses pc scheduling.k8s.io false PriorityClass [create delete deletecollection get list patch update watch]
csidrivers storage.k8s.io false CSIDriver [create delete deletecollection get list patch update watch]
csinodes storage.k8s.io false CSINode [create delete deletecollection get list patch update watch]
storageclasses sc storage.k8s.io false StorageClass [create delete deletecollection get list patch update watch]
volumeattachments storage.k8s.io false VolumeAttachment [create delete deletecollection get list patch update watch]
Copy the codeKubernetes 1.17 version
Verbs
[create delete deletecollection get list patch update watch]
Copy the codeKubernetes 1.17 version
Role of the sample
In the following example, we only show the rules counterpart, which allows reading of Pods under the core API group:
rules:
- apiGroups: ["] ""
resources: ["pods"]
verbs: ["get", "list". "watch"]
Copy the codeAllows reading/writing of “deployments” resources in the “Extensions” and “apps” API groups:
rules:
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["get", "list". "watch". "create". "update". "patch". "delete"]
Copy the codeAllows reading “Pods” and reading/writing “jobs” :
rules:
- apiGroups: ["] ""
resources: ["pods"]
verbs: ["get", "list". "watch"]
- apiGroups: ["batch", "extensions"]
resources: ["jobs"]
verbs: ["get", "list". "watch". "create". "update". "patch". "delete"]
Copy the codeAllows a ConfigMap named “my-config” to be read (with a specific ConfigMap in a namespace bound by RoleBinding) :
rules:
- apiGroups: ["] ""
resources: ["configmaps"]
resourceNames: ["my-config"]
verbs: ["get"]
Copy the codeAllows “Nodes” resources in the core group to be read (since nodes are cluster-scoped, ClusterRole binding is required)
rules:
- apiGroups: ["] ""
resources: ["nodes"]
verbs: ["get", "list". "watch"]
Copy the codeAllow “GET” and “POST” requests on non-resource endpoint “/healthz” and its subpaths (must be ClusterRoleBinding in ClusterRole)
rules:
- nonResourceURLs: ["/healthz", "/healthz/*"] # '*' in nonResourceURL means suffix global match.
verbs: ["get", "post"]
Copy the code