Welcome to the Linux Foundation Forum!

Exercise 6.3: Working with ServiceAccounts - kubernetes API not working from inside a Pod

SimoneZennaro
SimoneZennaro Posts: 5
edited November 24 in LFD259 Class Forum

Hi,
I followed the exercise 6.3 and I created the following resources as explained in the PDF:

  • secret
  • serviceaccount
  • clusterrole
  • rolebinding
  • pod

The only change I made is use an nginix:latest image instead of a busybox (to have curl).

For what I understood, after binding that role to the serviceaccount specified in the pod security context, I should be able to execute what I read here: https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/#without-using-a-proxy

But I'm not..
[email protected]:/$ APISERVER=https://kubernetes.default.svc

SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
curl: (6) Could not resolve host: kubernetes.default.svc

But getting the svc ip and doing a curl to the kubernetes ip (from inside the same pod), I got a response:

k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dep1 NodePort 10.99.123.7 8080:30002/TCP 47h
kubernetes ClusterIP 10.96.0.1 443/TCP 9d
nginx ClusterIP 10.110.7.220 443/TCP 30h
registry ClusterIP 10.107.115.230 5000/TCP 31h

[email protected]:/$ curl 10.96.0.1:443
Client sent an HTTP request to an HTTPS server.


This is the role:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-access-cr
rules:

  • apiGroups:
    • ""
      resources:
    • secrets
      verbs:
    • get
    • list

I really appreciate who helps me to clarify that topic! :-)

Categories

Upcoming Training