Welcome to the Linux Foundation Forum!

Exercise 6.3: Working with ServiceAccounts - kubernetes API not working from inside a Pod

Posts: 5
edited November 2021 in LFD259 Class Forum

Hi,
I followed the exercise 6.3 and I created the following resources as explained in the PDF:

  • secret
  • serviceaccount
  • clusterrole
  • rolebinding
  • pod

The only change I made is use an nginix:latest image instead of a busybox (to have curl).

For what I understood, after binding that role to the serviceaccount specified in the pod security context, I should be able to execute what I read here: https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/#without-using-a-proxy

But I'm not..
2000@secondapp:/$ APISERVER=https://kubernetes.default.svc

SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
curl: (6) Could not resolve host: kubernetes.default.svc

But getting the svc ip and doing a curl to the kubernetes ip (from inside the same pod), I got a response:

k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dep1 NodePort 10.99.123.7 8080:30002/TCP 47h
kubernetes ClusterIP 10.96.0.1 443/TCP 9d
nginx ClusterIP 10.110.7.220 443/TCP 30h
registry ClusterIP 10.107.115.230 5000/TCP 31h

2000@secondapp:/$ curl 10.96.0.1:443
Client sent an HTTP request to an HTTPS server.


This is the role:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-access-cr
rules:

  • apiGroups:
    • ""
      resources:
    • secrets
      verbs:
    • get
    • list

I really appreciate who helps me to clarify that topic! :-)

Comments

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training