Google Distributed Cloud (GDC) air-gapped application programming interfaces (APIs) are programmatic interfaces to the GDC platform services. Google builds the control-plane APIs on top of Kubernetes, using the Kubernetes Resource Model (KRM). The control plane performs resource management for services such as creation, deletion, and updates.
Specific services have these APIs and their own data-plane APIs, which are XML, JSON, or gRPC-based. This page covers these services in their respective sections.
About GDC APIs
There are two types of GDC APIs: those that are Kubernetes-based and those that are not. Many GDC APIs are extensions to the open source Kubernetes API. They use Kubernetes custom resources and rely on the KRM. These APIs, like the Kubernetes API, are HTTP-based RESTful APIs, accepting and returning JSON as the default, or in Protobuf. The API endpoint is the relevant Kubernetes server.
Other, non-Kubernetes based GDC APIs, such as the Vertex pre-trained AI APIs, have their own endpoints. In addition to supporting HTTP, some of these APIs may also be accessible by gRPC, the open-source remote-procedure call framework. For more information on specific APIs, see their dedicated documentation in the vertical navigation menu.
To access GDC APIs, use the gdcloud CLI tools or GDC console.
About the Kubernetes API and the KRM
As many of the GDC APIs are extensions to the Kubernetes API and rely on the KRM, an understanding of these concepts help you take advantage of GDC APIs to their full extent.
The Kubernetes API is fully declarative, and everything in the Kubernetes API
is a resource that follows the KRM. API clients, both human and machine,
act on those resources, often with create, read, update, and delete
(CRUD) operations. The Kubernetes database stores the resource and
represents the state of the system. Kubernetes continuously watches
those resources and reconciles the real state of the system with the desired
state. For example, if you update a Deployment
resource to indicate that you
want five replicas of your container instead of four, Kubernetes detects
the change in the desired number of replicas and creates an additional
container.
For the core Kubernetes API, Kubernetes performs the reconciliation between desired and real states itself. The Kubernetes API extensions are custom resources that are not part of the core Kubernetes API. The custom software continuously watches and interacts with the Kubernetes API and performs the reconciliation.
To learn more about the Kubernetes API and the Kubernetes resource model, read the official Kubernetes documentation.
- Kubernetes API Overview, at https://kubernetes.io/docs/reference/using-api/
- Kubernetes API Concepts, at https://kubernetes.io/docs/reference/using-api/api-concepts/
- The Kubernetes Resource Model (KRM), at https://github.com/kubernetes/design-proposals-archive/blob/main/architecture/resource-management.md
Global and zonal APIs
Resources in GDC air-gapped are either zonal resources or global resources. Zonal resources operate within a single zone independently, and a zonal outage can affect some or all of the resources in that zone. Global resources operate with redundancy across multiple zones for fault tolerance.
GDC air-gapped offers two levels of management plane APIs to create and manage both GDC resource types: global APIs and zonal APIs.
Both global and zonal APIs are Kubernetes declarative APIs served at different endpoints, and GDC resources are represented as Kubernetes custom resources in the API servers. The global API servers share a single etcd cluster distributed across zones to provide strong consistency with fault tolerance, at the cost of higher latency and reduced write queries per second (QPS) compared to the zonal API servers. In every organization, a zonal management API server provides the zonal API for administrators and developers to manage zonal resources, and a global management API server provides the global API to manage multi-zone resources.
GDC APIs access
Both the gdcloud CLI tools and the GDC console leverage the GDC APIs. Google recommends that you use those to explore GDC or to do one-off operations. However, if you use automated or programmatic access to GDC, Google recommends that you use the GDC APIs directly.
HTTP and gRPC support
Most GDC APIs provide a JSON HTTP interface that you call directly. The Kubernetes-based APIs use the Kubernetes client libraries. Some non-Kubernetes GDC APIs have a gRPC interface, which provides improved performance and usability. Google also provides client libraries for GDC APIs that aren't based on Kubernetes. To read more about gRPC, go to https://grpc.io/.
TLS encryption
All GDC APIs accept requests using the Transport Layer Security (TLS) encryption.
- If you are using one of the Kubernetes or GDC client libraries, the library handles in-transit encryption for you.
- If you are using your own HTTP or gRPC client, you must authenticate with GDC, which requires TLS. For gRPC, follow the instructions in the gRPC authentication guide at https://grpc.io/docs/guides/auth/.
Access the Kubernetes API and Kubernetes-based APIs
The kubectl
Kubernetes CLI is the primary way to work directly with the
Kubernetes API and any Kubernetes-based APIs.
Access with kubectl
When accessing the Kubernetes API for the first time, use the
Kubernetes command-line tool, kubectl
.
To access a cluster, you need the cluster location information and the credentials to access it. See the Sign in section to learn how to get access to those credentials.
Examine your current kubectl
configuration and see the clusters to which you have
access:
kubectl config view
Direct access to the API with an HTTP client
The following are ways to directly access the REST API with an HTTP client like
curl
, wget
, or a browser:
- Rely on
kubectl
to handle the authentication by using it in proxy mode. - Handle the authentication yourself.
Run kubectl proxy
The kubectl proxy
command runs kubectl
in a mode where it acts as a reverse
proxy. This command connects to the apiserver
and manages the authentication.
Running kubectl
in proxy mode uses the stored API server location and
verifies the identity of the API server using a certificate. This method guards
against man-in-the-middle (MITM) attacks.
The following example shows how to use the kubectl proxy
command:
kubectl proxy --port=8080 &
Once the kubectl
proxy is running, you can explore the API with curl
, wget
,
or a browser, as shown in the following:
$ curl http://localhost:8080/api/
{
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "10.0.1.149:443"
}
]
}
Run without kubectl proxy
If you don't want to run kubectl
in proxy mode, you can pass an authentication
token directly to the API server.
List all possible Kubernetes clusters you have access to, as your kubeconfig file might have multiple contexts:
kubectl config view \ -o jsonpath='{"Cluster name\tServer\n"}{range.clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'
Export the name of the Kubernetes cluster you want to interact with from the previous output:
export CLUSTER_NAME="CLUSTER_NAME"
Set the API server referring to the Kubernetes cluster name:
APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")
Create a secret to hold a token for the default service account:
kubectl apply -n NAMESPACE -f - <<EOF apiVersion: v1 kind: Secret metadata: name: default-token annotations: kubernetes.io/service-account.name: default type: kubernetes.io/service-account-token EOF
Wait for the token controller to populate the secret with a token:
while ! kubectl describe secret default-token | grep -E '^token' >/dev/null; do echo "waiting for token..." >&2 sleep 1 done
Set the token value:
TOKEN=$(kubectl get secret $(kubectl get secrets | grep default | cut -f1 -d ' ') \ -o jsonpath='{.data.token}' | base64 --decode)
To access the API, use the token with a tool like
curl
by adding the HTTP headerAuthorization: Bearer $TOKEN
as shown in the following example:$ curl -k $APISERVER/api --header "Authorization: Bearer $TOKEN"
The output is similar to the following:
{ "kind": "APIVersions", "versions": [ "v1" ], "serverAddressByClientCIDRs": [ { "clientCIDR": "0.0.0.0/0", "serverAddress": "10.0.1.149:443" } ] }