Exercise 6.3: Working with ServiceAccounts - kubernetes API not working from inside a Pod

SimoneZennaro

Hi,
I followed the exercise 6.3 and I created the following resources as explained in the PDF:

• secret
• serviceaccount
• clusterrole
• rolebinding
• pod

The only change I made is use an nginix:latest image instead of a busybox (to have curl).

For what I understood, after binding that role to the serviceaccount specified in the pod security context, I should be able to execute what I read here: https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/#without-using-a-proxy

But I'm not..
2000@secondapp:/$ APISERVER=https://kubernetes.default.svc

SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
curl: (6) Could not resolve host: kubernetes.default.svc

But getting the svc ip and doing a curl to the kubernetes ip (from inside the same pod), I got a response:

k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dep1 NodePort 10.99.123.7 8080:30002/TCP 47h
kubernetes ClusterIP 10.96.0.1 443/TCP 9d
nginx ClusterIP 10.110.7.220 443/TCP 30h
registry ClusterIP 10.107.115.230 5000/TCP 31h

2000@secondapp:/$ curl 10.96.0.1:443
Client sent an HTTP request to an HTTPS server.

---

This is the role:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-access-cr
rules:

• apiGroups:
  • ""
    resources:
  • secrets
    verbs:
  • get
  • list

I really appreciate who helps me to clarify that topic! :-)

chrispokorni

Hi @SimoneZennaro,

Have you tried adding the cluster's domain kubernetes.default.svc.cluster.local ?

Additional information can be found in the documentation.

Regards,
-Chris