kube-apiserver is the central hub and access gateway to a Kubernetes cluster. This topic introduces the kube-apiserver component. This topic also describes the usage notes and release notes for kube-apiserver.
Introduction
kube-apiserver validates and configures data for the API objects, which include pods, Services, and ReplicationControllers. kube-apiserver serves REST operations and provides a frontend to the shared state of the cluster. All other components interact through this frontend.
Usage notes
kube-apiserver is automatically installed. You can use it without additional configurations.
Release notes
kube-apiserver is updated along with the Kubernetes version. For more information, see Overview of Kubernetes versions supported by ACK.
In clusters that run Kubernetes 1.20 or later and are created after February 2023, elastic network interfaces (ENIs), instead of Classic Load Balancer (CLB) instances, are used to expose Services in the default namespace. ENIs can be used to reduce performance costs caused by forwarding links.
ImportantIf the security group of a cluster forbids inbound traffic through port 6443 and the security group of the cluster nodes and containers that run on the nodes is different from the security group of the cluster, the system components of the cluster may fail to access the kube-apiserver of the cluster.
In clusters that run Kubernetes 1.20 or later and are created after November 2024, the IP address provided by the ENI by resolving the domain name of the API Server (
apiserver.{Cluster ID}.{Region ID}.cs.aliyuncs.com
), instead of the fixed IP address of the CLB instance, is used by kubelet and kube-proxy to access the API server. This improves the high availability (HA) of the cluster.ImportantIf the security group of a cluster forbids inbound traffic through port 6443, the node may fail to access the API server.
The domain name of the API server (
apiserver.{Cluster ID}.{Region ID}.cs.aliyuncs.com
) is provided by ACK based on Private DNS and is created and managed by ACK. You can view the domain name on the Cloud Service Defined Zones section in the Alibaba Cloud DNS console.Whether the domain name resolution of the API server takes effect depends on the default internal DNS service addresses 100.100.2.136 and 100.100.2.138 configured in Alibaba Cloud VPC. If you have configured a custom IP address for the DNS server on the ECS instance, ensure that the domain name of the API server is resolved by the Private DNS service in the upstream virtual private cloud (VPC). Otherwise, your node may fail to access the API server. Proceed with caution.