Access kubernetes API remotely

Question

I have a k8s cluster mounted in a Amazon EC2 instance, and i want configure the CI with GitLab. To do that, GitLab requested me the Kubernetes API URL.

I ran kubectl cluster-info to get the requested information and i can see 3 rows:

• Kubernetes master https://10.10.1.253:6443
• coredns https://10.10.1.253:6443
• kubernetes-dashboard https://10.10.1.253:6443

I suppose that need the Kubernetes master URL but, is a private IP. How i can expose the API correctly ?

Any ideas ?

Answer 1

use the kubectl config view to get the server address, it will looks like server: https://172.26.2.101:6443.

First you need to define your public ip of the master node or the load balancer if any as a DNS Alternative. You can do this by,

remove current apiserver certificates

sudo rm /etc/kubernetes/pki/apiserver.*

generate new certificates

sudo kubeadm init phase certs apiserver --apiserver-cert-extra-sans=<public_ip>

Then, you have to capture your admin key, cert and the ca cert from the .kube/config file

client-key-data:

echo -n "LS0...Cg==" | base64 -d > admin.key

client-certificate-data:

echo -n "LS0...Cg==" | base64 -d > admin.crt

certificate-authority-data:

echo -n "LS0...Cg==" | base64 -d > ca.crt

Now you can request your api through curl, example below to request pods info

curl https://<public_ip>:6443/api/v1/pods  \
--key admin.key \
--cert admin.crt \
--cacert ca.crt

And of course make sure you allowed required ports

Answer 2

For better security keep the IPs of the kubernetes master nodes private and use LoadBalancer provided by AWS to expose the Kubernetes API Server. You could also configure TLS termination at the LoadBalancer.