Reference: Kubernetes API
We will use docker desktop to demonstrate these steps.
Get Kubernetes API server address for the cluster
First step is to get the API server endpoint. Use "kubectl config view" and note down the server endpoint for the specific cluster. Here "https://kubernetes.docker.internal:6443" is the endpoint for Kubernetes API server.$ kubectl config view
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://kubernetes.docker.internal:6443
name: docker-desktop
contexts:
- context:
cluster: docker-desktop
user: docker-desktop
name: docker-desktop
current-context: docker-desktop
kind: Config
preferences: {}
users:
- name: docker-desktop
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
Get the Kubernetes version error
Let us read the Kubernetes version via the API server. We will face the SSL certificate issue.$ curl https://kubernetes.docker.internal:6443/version curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
Get the Kubernetes version using SSL certificate
To overcome the SSL certificate problem send the cacert. Typically in docker desktop the ca.crt is available at ~/Library/Containers/com.docker.docker/pki/ca.crt.$ curl https://kubernetes.docker.internal:6443/version --cacert ~/Library/Containers/com.docker.docker/pki/ca.crt
{
"major": "1",
"minor": "25",
"gitVersion": "v1.25.0",
"gitCommit": "a866cbe2e5bbaa01cfd5e969aa3e033f3282a8a2",
"gitTreeState": "clean",
"buildDate": "2022-08-23T17:38:15Z",
"goVersion": "go1.19",
"compiler": "gc",
"platform": "linux/arm64"
}
Read the POD list error
Now let us try to read the list of pods in default namespace. We will get an authorization error since we don't have permissions yet.$ curl https://kubernetes.docker.internal:6443/api/v1/namespaces/default/pods --cacert ~/Library/Containers/com.docker.docker/pki/ca.crt
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "pods is forbidden: User \"system:anonymous\" cannot list resource \"pods\" in API group \"\" in the namespace \"default\"",
"reason": "Forbidden",
"details": {
"kind": "pods"
},
"code": 403
}
Read the POD list using service account token
To overcome the permissions issue, create a secret to hold a token for the default service account.$ kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: default-token
annotations:
kubernetes.io/service-account.name: default
type: kubernetes.io/service-account-token
EOF
Provide the required RBAC authorization. In this example, we are providing cluster admin role to default service account. More details on RBAC here.$ kubectl apply -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: default-rbac
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
EOF
Now read the default token secret.
$ kubectl describe secret default-token
Name: default-token
Namespace: default
Labels: <none>
Annotations: kubernetes.io/service-account.name: default
kubernetes.io/service-account.uid: 8405ff0b-bc0f-425d-8980-7ae289563880
Type: kubernetes.io/service-account-token
Data
====
ca.crt: 1099 bytes
namespace: 7 bytes
token: [USE-THIS-TOKEN]
Use the token in the curl command header as the bearer token for authorization.
$ curl https://kubernetes.docker.internal:6443/api/v1/namespaces/default/pods --cacert ~/Library/Containers/com.docker.docker/pki/ca.crt -H "Authorization: Bearer [USE-THIS-TOKEN]"We are now able to read the POD list without any errors.
0 comments:
Post a Comment