Exploring Kubernetes API using Wireshark part 2: Namespaces

Related Articles:

Exploring Kubernetes API using Wireshark part 1: Creating, Listing and Deleting Pods

Exploring Kubernetes API using Wireshark part 3: Python Client API

Quick Intro

Using kubectl command is pretty useful:

When you execute the above command, kubectl sends a GET request to /api/v1/namespaces/default/pods:

Kubernetes master node replies with a JSON file containing all pods (along with their info) that belong to namespace 'default'.

In this article, I'm going to explain what Kubernetes namespaces are by showing you real HTTP traffic reaching Kubernetes master node.

I've removed the TLS complexity by using proxy so we can just focus on HTTP headers only.

Understanding namespaces

Initially, I'd say just memorise that /api/v1 is like the root directory of Kubernetes master node's API where client is going to retrieve all sorts of information.

Have you noticed the namespaces in /api/v1/namespaces/default/pods?

default just happens to be the namespace that our pods listed here belong to.

Think of namespaces for Kubernetes as virtual Kubernetes clusters just like Virtual Machines (VMs) for OS.

We can have identical objects with same name that belong to different namespaces and therefore are isolated from each other from the point of view of the API.

Creating a new custom namespace

I can create a new namespace like this using kubectl command:

I can then create the same identical pods from default namespace in rodrigo's namespace.

Let's see what happened under the hood when I typed the above command. 

When we create a new namespace, kubectl sends an HTTP POST request Kubernetes master node:

pcap: creating-rodrigo-namespace.pcap

The kubectl client then sends a JSON file like this in the POST request:

Then, Kubernetes Master responds with HTTP 201 Created message and another JSON file with all newly created namespace's info:

I've described some of the JSON info that came back from API just out of curiosity.

Note that many different objects are 'namespaced', i.e. they belong to a namespace. Others like nodes are namespace-independent.

I used pods as an example here to explain namespaces as pods are most popular and well-known object in Kubernetes world.

Keeping 2 identical pods in 2 namespaces

Let me create a new NGINX pod in the new namespace:

Ops! We need to specify that we're creating the same pod in the new namespace we've just created, otherwise it defaults to default namespace where the nginx pod already exists:

It now worked.

Let's list only pods from rodrigo's namespace only with kubectl:

When we capture the above request on Wireshark, we now see that our GET request to Kubernetes Master now uses rodrigo's namespace so we're now listing only pods from rodrigo namespace only :

We also have this same exact pod using same name in default namespace. Remember?

Deleting my custom namespace

Now, let's delete our pod:

And that's the API call under the hood (an HTTP DELETE request to complete path of namespace - just like we're deleting a folder):

pcap: deleting-namespace.pcap

Listing pods from all namespaces

If you're curious about how the URL would look like when we list pods from all namespaces with kubectl:

The answer is this:

This request will list all pods from all namespaces.

Troubleshooting Namespaces

Remember I mentioned the finalizer attribute? When I was creating this article and I tried to delete the my custom namespace (rodrigo), it got stuck in Terminating state:

Initially I thought it was just Google Cloud slowness but 40 minutes? That's a lot.

So I suspected it could be because of finalize attribute and googled it so found that it was a bug and here's the solution:

Retrieve namespace's JSON declaration to temporary file:

Delete kubernetes keyword from finalizers attribute:

Now send a PUT request to API and the JSON file above:

Then, when I looked back it was finally gone: