Exercise 6.3: Working with ServiceAccounts - kubernetes API not working from inside a Pod
Hi,
I followed the exercise 6.3 and I created the following resources as explained in the PDF:
- secret
- serviceaccount
- clusterrole
- rolebinding
- pod
The only change I made is use an nginix:latest image instead of a busybox (to have curl).
For what I understood, after binding that role to the serviceaccount specified in the pod security context, I should be able to execute what I read here: https://kubernetes.io/docs/tasks/run-application/access-api-from-pod/#without-using-a-proxy
But I'm not..
2000@secondapp:/$ APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
curl: (6) Could not resolve host: kubernetes.default.svc
But getting the svc ip and doing a curl to the kubernetes ip (from inside the same pod), I got a response:
k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
dep1 NodePort 10.99.123.7 8080:30002/TCP 47h
kubernetes ClusterIP 10.96.0.1 443/TCP 9d
nginx ClusterIP 10.110.7.220 443/TCP 30h
registry ClusterIP 10.107.115.230 5000/TCP 31h
2000@secondapp:/$ curl 10.96.0.1:443
Client sent an HTTP request to an HTTPS server.
This is the role:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: secret-access-cr
rules:
- apiGroups:
- ""
resources: - secrets
verbs: - get
- list
- ""
I really appreciate who helps me to clarify that topic! :-)
Comments
-
Hi @SimoneZennaro,
Have you tried adding the cluster's domain
kubernetes.default.svc.cluster.local?Additional information can be found in the documentation.
Regards,
-Chris0
Categories
- All Categories
- 177 LFX Mentorship
- 177 LFX Mentorship: Linux Kernel
- 754 Linux Foundation IT Professional Programs
- 374 Cloud Engineer IT Professional Program
- 170 Advanced Cloud Engineer IT Professional Program
- 74 DevOps IT Professional Program - Discontinued
- 5 DevOps & GitOps IT Professional Program
- 100 Cloud Native Developer IT Professional Program
- 7.6K Training Courses & Learning Paths
- 2 AI & ML Training
- 1 Blockchain & Decentralized Identity Training
- 5 Cloud & Containers Training
- 1 Cybersecurity Training
- 2 DevOps & Site-Reliability Training
- 1 Linux Kernel Development Training
- 1 Networking Training
- 2 Open Source Best Practice Training
- 2 System Administration Training
- 1 System Engineering Training
- 1 Web & Application Development Training
- 794 Hardware
- 202 Drivers
- 68 I/O Devices
- 37 Monitors
- 95 Multimedia
- 173 Networking
- 91 Printers & Scanners
- 89 Storage
- 769 Linux Distributions
- 81 Debian
- 68 Fedora
- 22 Linux Mint
- 13 Mageia
- 24 openSUSE
- 150 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 356 Ubuntu
- 465 Linux System Administration
- 31 Cloud Computing
- 73 Command Line/Scripting
- Github systems admin projects
- 98 Linux Security
- 78 Network Management
- 101 System Management
- 46 Web Management
- 112 Mobile Computing
- 20 Android
- 77 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 393 Off Topic
- 121 Introductions
- 182 Small Talk
- 29 Study Material
- 977 Programming and Development
- 310 Kernel Development
- 649 Software Development
- 990 Software
- 382 Applications
- 182 Command Line
- 5 Compiling/Installing
- 68 Games
- 317 Installation
- Archived
- 2 LFD140 Class Forum
- 1.4K LFS258 Class Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)