Kubernetes API Server YAML Deep Dive: What Each Line Means

The kube-apiserver is the core component of the Kubernetes control plane, acting as the gateway for all cluster operations. It exposes the Kubernetes API, processes REST requests, and validates, authenticates, and authorizes them before updating the cluster state in etcd.

Key functions of the API server:

• Cluster Gateway: Handles all interactions between users, controllers, and worker nodes.

• Authentication & Authorization: Ensures secure access using mechanisms like RBAC and certificates.

• State Management: Reads and writes cluster data in etcd.

• Scaling & Extensibility: Facilitates communication with controllers, schedulers, and operators.

The API server ensures the cluster remains functional, secure, and responsive, making it the heart of Kubernetes operations.

Below is the example of api-server.yaml

1. Basic Information

• apiVersion: v1 → The Kubernetes API version used for this resource.

• kind: Pod → Specifies that this resource defines a Pod.

2. Metadata

• annotations → Stores additional metadata. The annotation kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 172.30.1.2:6443 specifies the address where the API server advertises its availability.

• labels → Key-value pairs used for identifying and grouping resources. component: kube-apiserver → Identifies this as the API server. tier: control-plane → Indicates that this is a control plane component.

• name: kube-apiserver → The Pod’s name.

• namespace: kube-system → The Pod runs in the kube-system namespace, reserved for system components.

3. Containers (Main API Server Container)

• command → Specifies the startup command and arguments for the container. -advertise-address=172.30.1.2 → The API server announces itself on this address. -allow-privileged=true → Enables privileged containers. -authorization-mode=Node,RBAC → Uses Role-Based Access Control (RBAC) and Node authorization. -client-ca-file=/etc/kubernetes/pki/ca.crt → Specifies the CA certificate for validating client requests. -enable-admission-plugins=NodeRestriction → Enables the NodeRestriction admission controller. -enable-bootstrap-token-auth=true → Allows bootstrap token authentication. -etcd-servers=https://127.0.0.1:2379 → Specifies the etcd database server for storing cluster state. -service-cluster-ip-range=10.96.0.0/12 → Defines the range of IPs for Kubernetes services. -tls-cert-file=/etc/kubernetes/pki/apiserver.crt → Specifies the TLS certificate for secure API access.

4. Image and Image Pull Policy

• image → Uses the Kubernetes API server image from the k8s registry.

• imagePullPolicy: IfNotPresent → Only pulls the image if it is not already available locally.

5. Health Probes

• livenessProbe → Checks if the API server is alive. Sends an HTTPS request to /livez at 172.30.1.2:6443.

• readinessProbe → Checks if the API server is ready to accept traffic.

• startupProbe → Used to determine when the API server has fully started.

6. Volumes

• Mounts various security-related certificates into the container for authentication.

• hostPath → Maps files from the host machine into the container.

7. Security Settings

• hostNetwork: true → The Pod shares the host network stack, which is necessary for API server networking.

• priorityClassName: system-node-critical → Ensures this Pod is treated as highly critical.

• seccompProfile: RuntimeDefault → Applies the default security policy.

Summary of above content

Above YAML file defines the Kubernetes API server Pod, which:

• Runs in the control plane.

• Uses RBAC and TLS for security.

• Connects to etcd for storing cluster state.

• Performs health checks to ensure reliability.

• Mounts certificates for secure communication.