OpenShift - oc command Tips - proxy

OpenShift の様々な操作で使用する oc コマンドの proxy をご紹介します。

proxy

oc proxy は API Server への Proxy 接続を実現します。

$ oc proxy --help
Creates a proxy server or application-level gateway between localhost and the Kubernetes API server. It also allows
serving static content over specified HTTP path. All incoming data enters through one port and gets forwarded to the
remote Kubernetes API server port, except for the path matching the static content path.

Examples:
  # To proxy all of the Kubernetes API and nothing else
  oc proxy --api-prefix=/

  # To proxy only part of the Kubernetes API and also some static files
  # You can get pods info with 'curl localhost:8001/api/v1/pods'
  oc proxy --www=/my/files --www-prefix=/static/ --api-prefix=/api/

  # To proxy the entire Kubernetes API at a different root
  # You can get pods info with 'curl localhost:8001/custom/api/v1/pods'
  oc proxy --api-prefix=/custom/

  # Run a proxy to the Kubernetes API server on port 8011, serving static content from ./local/www/
  oc proxy --port=8011 --www=./local/www/

  # Run a proxy to the Kubernetes API server on an arbitrary local port
  # The chosen port for the server will be output to stdout
  oc proxy --port=0

  # Run a proxy to the Kubernetes API server, changing the API prefix to k8s-api
  # This makes e.g. the pods API available at localhost:8001/k8s-api/v1/pods/
  oc proxy --api-prefix=/k8s-api

Options:
    --accept-hosts='^localhost$,^127\.0\.0\.1$,^\[::1\]$':
        Regular expression for hosts that the proxy should accept.

    --accept-paths='^.*':
        Regular expression for paths that the proxy should accept.

    --address='127.0.0.1':
        The IP address on which to serve on.

    --api-prefix='/':
        Prefix to serve the proxied API under.

    --append-server-path=false:
        If true, enables automatic path appending of the kube context server path to each request.

    --disable-filter=false:
        If true, disable request filtering in the proxy. This is dangerous, and can leave you vulnerable to XSRF
        attacks, when used with an accessible port.

    --keepalive=0s:
        keepalive specifies the keep-alive period for an active network connection. Set to 0 to disable keepalive.

    -p, --port=8001:
        The port on which to run the proxy. Set to 0 to pick a random port.

    --reject-methods='^$':
        Regular expression for HTTP methods that the proxy should reject (example --reject-methods='POST,PUT,PATCH').

    --reject-paths='^/api/.*/pods/.*/exec,^/api/.*/pods/.*/attach':
        Regular expression for paths that the proxy should reject. Paths specified here will be rejected even accepted
        by --accept-paths.

    -u, --unix-socket='':
        Unix socket on which to run the proxy.

    -w, --www='':
        Also serve static files from the given directory under the specified prefix.

    -P, --www-prefix='/static/':
        Prefix to serve static files under, if static file directory is specified.

Usage:
  oc proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix] [options]

Use "oc options" for a list of global command-line options (applies to all commands).

OperatorHub APIs

ここでは、OCP 4.16 環境における OperatorHub APIs の確認に使用してみます。

Without oc proxy

oc proxy を使用しない場合、以下のような curl コマンドの Syntax で確認することが出来ます。

$ curl -sk -H "Authorization: Bearer $(oc whoami -t)" $(oc whoami --show-server)/apis/operators.coreos.com
{
  "kind": "APIGroup",
  "apiVersion": "v1",
  "name": "operators.coreos.com",
  "versions": [
    {
      "groupVersion": "operators.coreos.com/v2",
      "version": "v2"
    },
    {
      "groupVersion": "operators.coreos.com/v1",
      "version": "v1"
    },
    {
      "groupVersion": "operators.coreos.com/v1alpha2",
      "version": "v1alpha2"
    },
    {
      "groupVersion": "operators.coreos.com/v1alpha1",
      "version": "v1alpha1"
    }
  ],
  "preferredVersion": {
    "groupVersion": "operators.coreos.com/v2",
    "version": "v2"
  }
}

With oc proxy

oc proxy を使用すると、同様の確認を更に Simple に行うことが出来ます。

$ proxy --port=8080 &

$ curl -s http://localhost:8080/apis/operators.coreos.com
{
  "kind": "APIGroup",
  "apiVersion": "v1",
  "name": "operators.coreos.com",
  "versions": [
    {
      "groupVersion": "operators.coreos.com/v2",
      "version": "v2"
    },
    {
      "groupVersion": "operators.coreos.com/v1",
      "version": "v1"
    },
    {
      "groupVersion": "operators.coreos.com/v1alpha2",
      "version": "v1alpha2"
    },
    {
      "groupVersion": "operators.coreos.com/v1alpha1",
      "version": "v1alpha1"
    }
  ],
  "preferredVersion": {
    "groupVersion": "operators.coreos.com/v2",
    "version": "v2"
  }
}

oc get --raw

oc get コマンドには、同様の機能として --raw があります。

$ oc get --raw /apis/operators.coreos.com | jq -r .
{
  "kind": "APIGroup",
  "apiVersion": "v1",
  "name": "operators.coreos.com",
  "versions": [
    {
      "groupVersion": "operators.coreos.com/v2",
      "version": "v2"
    },
    {
      "groupVersion": "operators.coreos.com/v1",
      "version": "v1"
    },
    {
      "groupVersion": "operators.coreos.com/v1alpha2",
      "version": "v1alpha2"
    },
    {
      "groupVersion": "operators.coreos.com/v1alpha1",
      "version": "v1alpha1"
    }
  ],
  "preferredVersion": {
    "groupVersion": "operators.coreos.com/v2",
    "version": "v2"
  }
}

なお、以前の OCP / Kubernetes では .metadata.selfLink に リソース自身の API URL が記載されていましたが、Deprected として削除されました。

# Pod の例
$ oc explain pod.metadata.selfLink
KIND:       Pod
VERSION:    v1

FIELD: selfLink <string>

DESCRIPTION:
    Deprecated: selfLink is a legacy read-only field that is no longer populated
    by the system.