Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I use curl to access the Kubernetes API from within a pod?

Tags:

curl

google-cloud-platform

kubernetes

google-kubernetes-engine

I am using Kubernetes 1.8.6 on Google Kubernetes Engine and have a pod running Alpine as part of a StatefulSet.

I have logged into my pod using kubectl exec -it my-pod-0 -- /bin/sh and then run the following commands at the prompt:

$ CA_CERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
$ TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
$ NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
$ curl --cacert $CA_CERT -H "Authorization: Bearer $TOKEN" "https://kubernetes
/api/v1/namespaces/$NAMESPACE/services/"

Unfortunately a 403 Forbidden error is returned:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "services is forbidden: User \"system:serviceaccount:default:default\" cannot list services in the namespace \"default\": Unknown user \"system:serviceaccount:default:default\"",
  "reason": "Forbidden",
  "details": {
    "kind": "services"
  },
  "code": 403

What am I doing wrong?

like image 330
Dan Avatar asked Jan 17 '18 23:01

Dan

People also ask

How do I access API from Kubernetes pod?

From inside the pod, kubernetes api server can be accessible directly on "https://kubernetes.default". By default it uses the "default service account" for accessing the api server. So, we also need to pass a "ca cert" and "default service account token" to authenticate with the api server. Save this answer.

How do I run curl command from within a Kubernetes pod?

To do that, I use the kubectl run command, which creates a single Pod. Kubernetes will now pull the curlimages/curl image, start the Pod, and drop you into a terminal session. So now you can use curl! Make sure you run curl in the same Kubernetes namespace which you want to debug.

1 Answers

You're not doing anything wrong. That pod's service account (specified in the pod's serviceAccountName) simply doesn't have any API permissions.

You can grant a view role to that service account like this:

kubectl create rolebinding default-viewer \
  --clusterrole=view \
  --serviceaccount=default:default \
  --namespace=default

See https://kubernetes.io/docs/admin/authorization/rbac/#service-account-permissions for more details about granting permissions to service accounts.

like image 72
Jordan Liggitt Avatar answered Oct 16 '22 05:10

Jordan Liggitt
Sign in to Comment

Related questions

How do I see the trailer headers with curl
Disable cert revocation check in unix/linux using curl command
Redirect Users Based on Server Traffic with PHP
PHP cURL: Get target of redirect, without following it
how safe is php curl in ssl/https?
PHP get_headers() reports different headers than CURL
curl -X POST -H 'Content-Type: application/json' -d to PHP
Check if a website is using SSL using CURL
How to urlencode data into a URL, with bash or curl
Using discord API with PHP & cURL [closed]
How to create Github Pull Request using curl?
How do I capture the HTTP error code from a download.file request?
Why is Python's requests 10x faster than C's libcurl?
cURL for SFTP with private key authentication
upload image to imagefield with djangorestframework using json and test this with CURL
Objective-C equivalent of curl request
elasticsearch query and cURL in PHP
How can I detect URL Not Found Error in php curl?
How to install curl on debian 7.1? Getting the following error on apt-get install curl
is it possible to POST/GET data to TLSv1.1+ secured site without curl and wget?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!