このコンテンツは選択した言語では利用できません。

Chapter 1. Overview


 
The OpenShift Container Platform distribution of Kubernetes includes the Kubernetes v1 REST API and the OpenShift v1 REST API. These are RESTful APIs accessible via HTTP(s) on the OpenShift Container Platform master servers.

These REST APIs can be used to manage end-user applications, the cluster, and the users of the cluster.

1.1. Authentication

API calls must be authenticated with an access token or X.509 certificate. See Authentication in the Architecture documentation for an overview.

This section highlights the token authentication method. With token authentication, a bearer token must be passed in as an HTTP Authorization header. There are two types of access tokens: session and service account.

1.1.1. Session Tokens

A session token is short-lived, expiring within 24 hours by default. It represents a user. After logging in, the session token may be obtained with the oc whoami command:

$ oc login -u test_user
Using project "test".
$ oc whoami --token
dIAo76N-W-GXK3S_w_KsC6DmH3MzP79zq7jbMQvCOUo

1.1.2. Service Account Tokens

Service account tokens are long-lived tokens. They are JSON Web Token (JWT) formatted tokens and are much longer strings than session tokens. See Using a Service Account’s Credentials Externally for steps on using these tokens to authenticate using the CLI.

A service account token may be obtained with these commands:

  1. Create a service account in the current project (test) named robot:

    $ oc create serviceaccount robot
    serviceaccount "robot" created
  2. Grant a role to the service account. In this example, assign the robot service account in the test project the admin role:

    $ oc policy add-role-to-user admin system:serviceaccounts:test:robot
  3. Get the token value:

    $ oc serviceaccounts get-token robot
    eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJpc3YtY2VydCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJpbWctYnVpbGQtdG9rZW4teG1rMHciLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoiaW1nLWJ1aWxkIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiYTJmNzM0NWMtNDA4Zi0xMWU3LTg1NTktMDAxYTRhZTBkZjQ1Iiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50Omlzdi1jZXJ0OmltZy1idWlsZCJ9.Xt5cc9k7fucc7ZAYqt6cz6WvyDhbCZcfHXH-Ow6vStI4Gy7dS3qxIewcXFw8-h1_wkLRUYvyVVYDCRIIbmWL68ybzY2ND8FyuQwCOWP-2_vFvm8xmpjFURZwuNv-eGULNwzOfrSCIelqM2ImCYcM3tpbnyMPeW_KoSI4LGKxXZZqBIcpa9Xb0Zr225uhpZJ2tb_ItuqdOXPUC0GZdHbpbCI0I-Yu-IudCRBHZZ_2SlAi3vbJcvmjpXHfaz49enR602S8ztXF4gXG4_lXa0fS5QYtB0lnIv9q8HXzxKioG_P3O1yD1HqdLYXhZaMNDyg1Xm-5hAkfQ4A7UMPgK4a2zg

The token value may be used in an authorization header to authenticate API calls, the CLI or in the docker login command. Service accounts may be created and deleted as needed with the appropriate role(s) assigned. See Authorization in the Architecture documentation for a deeper discussion on roles.

1.2. Examples

These examples provide a quick reference for making successful REST API calls. They use insecure methods. In these examples, a simple GET call is made to list available resources.

1.2.1. cURL

Example 1.1. Request (Insecure)

$ curl -X GET -H "Authorization: Bearer <token>" https://openshift.redhat.com:8443/oapi/v1 --insecure

Example 1.2. Result (Truncated)

{
  "kind": "APIResourceList",
  "groupVersion": "v1",
  "resources": [
    {
      "name": "buildconfigs",
      "namespaced": true,
      "kind": "BuildConfig"
    },
    {
      "name": "buildconfigs/instantiate",
      "namespaced": true,
      "kind": "BuildRequest"
    },
    {
      "name": "buildconfigs/instantiatebinary",
      "namespaced": true,
      "kind": "BinaryBuildRequestOptions"
    },
    {
      "name": "buildconfigs/webhooks",
      "namespaced": true,
      "kind": "Status"
    },
    {
      "name": "builds",
      "namespaced": true,
      "kind": "Build"
    },
    ...
    {
      "name": "subjectaccessreviews",
      "namespaced": true,
      "kind": "SubjectAccessReview"
    },
    {
      "name": "templates",
      "namespaced": true,
      "kind": "Template"
    },
    {
      "name": "useridentitymappings",
      "namespaced": false,
      "kind": "UserIdentityMapping"
    },
    {
      "name": "users",
      "namespaced": false,
      "kind": "User"
    }
  ]
}

1.2.2. Python

Example 1.3. Interactive Python API Call Using "requests" Module (Insecure)

>>> import requests
>>> url = 'https://openshift.redhat.com:8443/oapi/v1'
>>> headers = {'Authorization': 'Bearer dIAo76N-W-GXK3S_w_KsC6DmH3MzP79zq7jbMQvCOUo'}
>>> requests.get(url, headers=headers, verify=False)
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:791: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
<Response [200]>

1.2.3. Docker Login

The OpenShift Container Platform integrated Docker registry must be authenticated using either a user session or service account token. The value of the token must be used as the value for the --password argument. The user and email argument values are ignored:

$ docker login -p <token_value> -u unused -e unused <registry>[:<port>]

1.3. Image Signatures

The OpenShift Container Registry allows the users to manipulate the image signatures using its own API. See Accessing Image Signatures Using Registry API for more information.

1.4. Websockets and Watching for Changes

The API is designed to work via the websocket protocol. API requests may take the form of "one-shot" calls to list resources or by passing in query parameter watch=true. When watching an endpoint, changes to the system may be observed through an open endpoint. Using callbacks, dynamic systems may be developed that integrate with the API.

For more information and examples, see the Mozilla Developer Network page on Writing WebSocket client applications.

Red Hat logoGithubRedditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

© 2024 Red Hat, Inc.