Comments (5)
@WhsYourDaddy do this inside your container
APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
This will work
from kubernetes-in-action.
@WhsYourDaddy do this inside your container
APISERVER=https://kubernetes.default.svc SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) TOKEN=$(cat ${SERVICEACCOUNT}/token) CACERT=${SERVICEACCOUNT}/ca.crt curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/apiThis will work
I tried it and yeah it worked, which means I can access the /api/ directory. However, I still cannot access the root directory.
root@curl:/# curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User "system:serviceaccount:default:default" cannot get path "/"",
"reason": "Forbidden",
"details": {
},
"code": 403
}root@curl:/# curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.99.100:8443"
}
]
}
from kubernetes-in-action.
@WhsYourDaddy you need to clusterrolebinding to your service account. Use this command and it fix the issue. This will give all the access your API
kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default
To explain a little bit. By default your pods use default
service account. You can get it by
kc get sa
This will list all your service accounts. You can describe and see the Mountable secrets
will be somewhat like default-token-nqrs
.
Not when you describe this secret
kc describe secrets default-token-nqrs9
You will notice that it has token will be same as cat /var/run/secrets/kubernetes.io/serviceaccount/token
in your pod
So you need to create clusterrolebinding to your service account. Clusterrole cluster-admin
has all the access. If you want to create service based role. You need to first create a clusterrole and then bind that to your clusterrole. Example shown below.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pods-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
- First create a cluster role
kc apply -f cluterrole.yaml
Now bind the above created clusterrole.
kc create clusterrolebinding pods-reader-pod --clusterrole=pods-reader --serviceaccount=default:default
Here first default is your namespace and second default is token
Now when inside container you can do curl localhost:8001/api/v1/pods
and it list the API.
from kubernetes-in-action.
@WhsYourDaddy you need to clusterrolebinding to your service account. Use this command and it fix the issue. This will give all the access your API
kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:defaultTo explain a little bit. By default your pods use
default
service account. You can get it by
kc get sa
This will list all your service accounts. You can describe and see the
Mountable secrets
will be somewhat likedefault-token-nqrs
.Not when you describe this secret
kc describe secrets default-token-nqrs9
You will notice that it has token will be same as
cat /var/run/secrets/kubernetes.io/serviceaccount/token
in your podSo you need to create clusterrolebinding to your service account. Clusterrole
cluster-admin
has all the access. If you want to create service based role. You need to first create a clusterrole and then bind that to your clusterrole. Example shown below.kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pods-reader rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"]
- First create a cluster role
kc apply -f cluterrole.yaml
Now bind the above created clusterrole.
kc create clusterrolebinding pods-reader-pod --clusterrole=pods-reader --serviceaccount=default:default
Here first default is your namespace and second default is token
Now when inside container you can do
curl localhost:8001/api/v1/pods
and it list the API.
After setting the cluster-admin clusterrole, accessing the root path is allowed.Thanks a lot!
from kubernetes-in-action.
Cool, hope this helped, you can close this issue now.
from kubernetes-in-action.
Related Issues (20)
- Hi. Struggling with the filter xpath example HOT 1
- Chapter 5 named ports minikube
- Ch 5 minikube NodePort External IP issue
- Chapter 6 permission error with sh script HOT 1
- Decrease image size
- chapter 2.3.1 generator flag no longer working HOT 1
- 2.3.6 Kubernetes DashBoard not available in GKE
- Ch4 ReplicaSet apiversion was not apps/v1beta2
- ch8 : ErrImagePull when create pod with curl.yaml
- kubernetes in action
- Chaper 11.2.1 Queries about Nodeport when requesting one of node HOT 1
- Chapter 6: Fortune Image seem to be failing during pull
- Chapter 6: A pod using a PersistentVolumeClaim volume: mongodb-pod-pvc.yaml
- 2.3.2 - Can't create Service object because no rc
- 2.3.2 - Can't create Service object because no rc HOT 1
- Chapter4: time-limited-batch-job.yaml
- Error Multipath Kubernetes Ingress, Cannot GET / HOT 1
- Fix kubia-deployment-v3-with-readinesscheck.yaml [Chapter09] HOT 1
- [Chapter 8] kubectl proxy image using arm64 architecture
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-in-action.