The k8s API server is the front-end to the k8s control plane in a Kubernetes cluster. It exposes the core component — the k8s api which accepts HTTP requests.
Communication with cluster resources
The API server communicates in two ways with the rest of the cluster:
- through the kubelets
- through kube-proxy (see Node to API communication)
API to kubelet
This type of communication is used primarily for:
- Fetching logs for pods.
- Attaching to running pods (usually through kubectl).
- Providing the kublets’ port-forwarding functionality.
These connections terminate at the HTTPS endpoints of the kubelet. And although the traffic is encrypted, by default, the API server does NOT verify the kubelet’s serving certificate. This behaviour could be overwritten by supplying a root certificate bundle1 to the API server with the --kubelet-certificate-authority. Another approach is to use SSH tunneling.
Konnectivity service - SSH tunnel replacement
Kubernetes supports SSH tunneling (deprecated) for node communication. However, the new Konnectivity service is used in favour of the latter. It is a TCP-based proxy that has 2 components:
- server in the control plane network.
- agents in the node network. The agents initiate connections with the server. After establishing the connection, all traffic goes through those connections.
API to node, pod, service
By default, the API server uses HTTP to connect directly to nodes, pods, and services. Even if HTTPS is used, no serving certificates will be validated.