Kubernetes API server filtering by field - in request time

Question

I'm trying to get all the secrets in the cluster of type helm.sh/release.v1:

$ curl -X GET $APISERVER/api/v1/secrets --header "Authorization: Bearer $TOKEN" --insecure
{
  "kind": "SecretList",
  "apiVersion": "v1",
  "metadata": {
    "selfLink": "/api/v1/secrets",
    "resourceVersion": "442181"
  },
  "items": [
    {
      "metadata": {
         ...
      },
      "data": {
         ...
      },
      "type": "helm.sh/release.v1"
    },
    {
      "metadata": {
         ...
      },
      "data": {
         ...
      },
      "type": "kubernetes.io/service-account-token"
    },
    {
      "metadata": {
         ...
      },
      "data": {
         ...
      },
      "type": "kubernetes.io/service-account-token"
    },
    ...
}

I can use the command above and then filter by myself (jq or whatever) but I wonder if there's an option to filter in the API by adding query parameters or something, for example (didn't work):

curl -X GET $APISERVER/api/v1/secrets?type=<value>

any idea how to filter by specific field? (type) can I also request specific fields in the response (if I don't care about the data for instance)?

@suren yes, I'm using HTTP requests within my application. What are you suggesting? gRPC? — ItayB, Dec 27 '20 at 12:18
I was thinking jsonpath, but it seems you are trying to get this info from another pod? not a good idea to configure kubectl within a pod. Now, jq is a recommended way from kubernetes, so nothing wrong with it. — suren, Dec 27 '20 at 13:42
So, `JSON_OBJECT| jq -r '.items[] | select(.type=="helm.sh/release.v1").data' is neat. — suren, Dec 27 '20 at 13:47
@suren first, thanks for your comments! I'm not going to use `kubectl` - I'm going to use HTTP requests from my application (python) that runs within a pod in the cluster. I am trying to be more efficient and ask only for what I need (only specific type and not all secrets in the cluster) — ItayB, Dec 27 '20 at 13:51
makes sense. you could also mount all the secrets in that one pod, and have it from the beginning. Or have a kubectl image to run in an `initContainer`, to pick all the info up and make it available for the pod. Since the `initContainer` will complete, there is no security issues. — suren, Dec 27 '20 at 14:43

score 1 · Answer 1 · answered Jan 21 '21 at 14:04

I'm going to use HTTP requests from my application (python) that runs within a pod in the cluster. I am trying to be more efficient and ask only for what I need (only specific type and not all secrets in the cluster)

If your application is written in Python, maybe it's a good idea to use Kubernetes Python Client library to get the secrets ?

If you want to get all the secrets in the cluster of type helm.sh/release.v1, you can do it with the following Python code:

from  kubernetes import client , config 

config.load_kube_config()
v1 = client.CoreV1Api()
list_secrets = v1.list_secret_for_all_namespaces(field_selector='type=helm.sh/release.v1')

If you also want to count them, use:

print(len(list_secrets.items))

to print secret's name use:

print(list_secrets.items[0].metadata.name)

to retrieve it's data:

print(list_secrets.items[0].data)

and so on...

More details, including arguments that can be used with this method, you can find here (just search for list_secret_for_all_namespaces):

# **list_secret_for_all_namespaces**
> V1SecretList list_secret_for_all_namespaces(allow_watch_bookmarks=allow_watch_bookmarks, _continue=_continue, field_selector=field_selector, label_selector=label_selector, limit=limit, pretty=pretty, resource_version=resource_version, timeout_seconds=timeout_seconds, watch=watch)

thanks! I'll give it a try and update during the weekend :) – ItayB Jan 21 '21 at 14:11 — ItayB, Jan 21 '21 at 14:11

Kubernetes API server filtering by field - in request time

1 Answers1