Alright, let's break down how to get external access to your single-node Kubernetes API server via port 6443 (since 8080's tied up with Eureka). I'll walk you through creating the necessary service and handling the authentication bits with CA certs, keys, and tokens step by step:

First, confirm the kube-apiserver is actively listening on 6443 and that the cluster recognizes its endpoints. Run this on your node:

kubectl get endpoints kubernetes -n default

You should see an entry with your node's IP and port 6443. If not, check your kube-apiserver config (usually in /etc/kubernetes/manifests/kube-apiserver.yaml) to ensure the --secure-port=6443 flag is set.

The default kubernetes service already targets the kube-apiserver's 6443 port, but it's restricted to internal cluster access (ClusterIP). We'll adjust it to use NodePort for external access:

1. Edit the default service:

kubectl edit service kubernetes -n default

2. Find the spec.type field, change its value from ClusterIP to NodePort. Save and exit the editor (use :wq if you're in vim).
3. Check the assigned external port:

kubectl get service kubernetes -n default

Look for the NodePort value (it’ll be in the 30000–32767 range) — this is the port you’ll use to access the API from outside the cluster.

Alternative: Create a Dedicated External Service #

If you don’t want to modify the default service, create a custom service linked directly to your node’s kube-apiserver endpoint. Make a file named kube-api-external.yaml:

apiVersion: v1
kind: Service
metadata:
  name: kube-api-external
  namespace: default
spec:
  type: NodePort
  ports:
  - port: 6443
    targetPort: 6443
    protocol: TCP
---
apiVersion: v1
kind: Endpoints
metadata:
  name: kube-api-external
  namespace: default
subsets:
- addresses:
  - ip: YOUR_NODE_IP # Replace with your single node's public/private IP
  ports:
  - port: 6443
    protocol: TCP

Apply it with:

kubectl apply -f kube-api-external.yaml

Verify the service is running:

kubectl get service kube-api-external -n default

Port 6443 is the secure API port, so you’ll need valid credentials to access it. Here’s how to get the required files and tokens:

Get the Cluster CA Certificate #

The cluster’s CA cert (used to verify the API server’s TLS certificate) lives at /etc/kubernetes/pki/ca.crt on your node. Copy this file to your external machine — you’ll need it for secure curl requests.

Create a Service Account for External Access #

If you don’t have an existing service account with API permissions, create one:

1. Make the service account:

kubectl create serviceaccount external-api-user

2. Bind it to a cluster role (use cluster-admin for full access, or a restricted role for production):

kubectl create clusterrolebinding external-api-binding --clusterrole=cluster-admin --serviceaccount=default:external-api-user

3. Extract the service account’s token:
   First, get the secret linked to the service account:

kubectl get secrets | grep external-api-user

Then decode the token from the secret:

kubectl get secret YOUR_SECRET_NAME -o jsonpath='{.data.token}' | base64 -d

Save this token — you’ll use it to authenticate API requests.

Optional: Use Client Certificates Instead of Tokens #

If you prefer certificate-based auth:

1. Generate a private key on your external machine:

openssl genrsa -out external-api-client.key 2048

2. Create a certificate signing request (CSR):

openssl req -new -key external-api-client.key -out external-api-client.csr -subj "/CN=external-api-user/O=external-api-group"

3. Create a Kubernetes CSR resource:

apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
  name: external-api-client
spec:
  request: $(cat external-api-client.csr | base64 | tr -d '\n')
  signerName: kubernetes.io/kube-apiserver-client
  expirationSeconds: 864000 # 10 days, adjust as needed
  usages:
  - client auth

Apply it:

kubectl apply -f csr.yaml

4. Approve the CSR:

kubectl certificate approve external-api-client

5. Retrieve the signed certificate:

kubectl get csr external-api-client -o jsonpath='{.status.certificate}' | base64 -d > external-api-client.crt

You now have a client cert and key to use for authentication.

Now you can test accessing the API from your external machine:

Using the Service Account Token #

curl --cacert ca.crt https://YOUR_NODE_IP:NODE_PORT/api/v1 -H "Authorization: Bearer YOUR_SERVICE_ACCOUNT_TOKEN"

Using Client Certificates #

curl --cacert ca.crt --cert external-api-client.crt --key external-api-client.key https://YOUR_NODE_IP:NODE_PORT/api/v1

• Ensure the NodePort you’re using is open in your node’s firewall (allow incoming traffic on that port).
• For production, avoid using the cluster-admin role — create a custom ClusterRole with only the permissions your external client needs.
• If you’re on a cloud provider, update your security groups to allow access to the NodePort.

内容的提问来源于stack exchange，提问作者anujkum