I entered the pod and I've already had my token set. But why there's a 403 status co

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

<a class="user-mention notranslate" data-hovercard-type="user" data-hover

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

<a class="user-mention notranslate" data-hovercard-type="user" data-hover

Chapter8 in pod cannot access APIServer about kubernetes-in-action HOT 5 CLOSED

lith-angelo commented on June 26, 2024

Chapter8 in pod cannot access APIServer

from kubernetes-in-action.

Comments (5)

knrt10 commented on June 26, 2024

@WhsYourDaddy do this inside your container

APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt

curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api

This will work

from kubernetes-in-action.

lith-angelo commented on June 26, 2024

@WhsYourDaddy do this inside your container

APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt

curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api

This will work

I tried it and yeah it worked, which means I can access the /api/ directory. However, I still cannot access the root directory.

root@curl:/# curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {

},
"status": "Failure",
"message": "forbidden: User "system:serviceaccount:default:default" cannot get path "/"",
"reason": "Forbidden",
"details": {

},
"code": 403
}root@curl:/# curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.99.100:8443"
}
]
}

from kubernetes-in-action.

knrt10 commented on June 26, 2024

@WhsYourDaddy you need to clusterrolebinding to your service account. Use this command and it fix the issue. This will give all the access your API

kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default

To explain a little bit. By default your pods use default service account. You can get it by

kc get sa

This will list all your service accounts. You can describe and see the Mountable secrets will be somewhat like default-token-nqrs.

Not when you describe this secret

kc describe secrets default-token-nqrs9

You will notice that it has token will be same as cat /var/run/secrets/kubernetes.io/serviceaccount/token in your pod

So you need to create clusterrolebinding to your service account. Clusterrole cluster-admin has all the access. If you want to create service based role. You need to first create a clusterrole and then bind that to your clusterrole. Example shown below.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pods-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

First create a cluster role kc apply -f cluterrole.yaml

Now bind the above created clusterrole.

kc create clusterrolebinding pods-reader-pod --clusterrole=pods-reader --serviceaccount=default:default

Here first default is your namespace and second default is token

Now when inside container you can do curl localhost:8001/api/v1/pods and it list the API.

from kubernetes-in-action.

lith-angelo commented on June 26, 2024

@WhsYourDaddy you need to clusterrolebinding to your service account. Use this command and it fix the issue. This will give all the access your API
kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default
To explain a little bit. By default your pods use default service account. You can get it by

kc get sa

This will list all your service accounts. You can describe and see the Mountable secrets will be somewhat like default-token-nqrs.

Not when you describe this secret

kc describe secrets default-token-nqrs9

You will notice that it has token will be same as cat /var/run/secrets/kubernetes.io/serviceaccount/token in your pod

So you need to create clusterrolebinding to your service account. Clusterrole cluster-admin has all the access. If you want to create service based role. You need to first create a clusterrole and then bind that to your clusterrole. Example shown below.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pods-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
First create a cluster role kc apply -f cluterrole.yaml

Now bind the above created clusterrole.

kc create clusterrolebinding pods-reader-pod --clusterrole=pods-reader --serviceaccount=default:default

Here first default is your namespace and second default is token

Now when inside container you can do curl localhost:8001/api/v1/pods and it list the API.

After setting the cluster-admin clusterrole, accessing the root path is allowed.Thanks a lot!

from kubernetes-in-action.

knrt10 commented on June 26, 2024

Cool, hope this helped, you can close this issue now.

from kubernetes-in-action.

Chapter8 in pod cannot access APIServer about kubernetes-in-action HOT 5 CLOSED

Comments (5)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent