test: ⚗️ ServiceAccount: Inject script to test k8s API access (curl)

Here we have a simple script injection into our Go app in order to do a CURL requisition to local K8S Api from within the Pod. This will be important to validate that if we can access it when ServiceAccount its added.
kevencript · Mar 21, 2023 · 4fcfd79 · 4fcfd79
1 parent 80ada95
commit 4fcfd79
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/k8s/configmap-script-test.yaml b/k8s/configmap-script-test.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-api-k8s-script
+  namespace: server
+data:
+  script: |
+    #!/bin/sh
+
+    # TESTING ACCESS FROM POD TO K8S APISERVER:
+    # with this script we can check if the pod can list pods via k8s api.
+    # We are doing this to validate the ServiceAccounts
+
+    # Export the internal Kubernetes API server hostname
+    APISERVER=https://kubernetes.default.svc
+
+    # Export the path to ServiceAccount mount directory
+    SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+
+    # Read the ServiceAccount bearer token
+    TOKEN=$(cat ${SERVICEACCOUNT}/token)
+
+    # Reference the internal Kubernetes certificate authority (CA)
+    CACERT=${SERVICEACCOUNT}/ca.crt
+
+    # Make a call to the Kubernetes API with TOKEN
+    echo "ACTION1: Trying to list PODS from Kubernetes Api:"
+    curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/default/pods
+    
diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
@@ -53,10 +53,15 @@ spec:
             - secretRef:
                 name: secret-app
           volumeMounts:
+            # Generic example of File Injection
             - mountPath: "/go/myfamily"
               name: file-injection
+            # Generic example of Persistent Volume
             - mountPath: "/go/persistence"
               name: persistent-volume
+            # Here we inject a script to test ServiceAccount (Access to k8s API->LIST_PODS)
+            - mountPath: "/go/test-serviceaccount"
+              name: inject-test-api-k8s-script
       volumes:
         - name: persistent-volume
           persistentVolumeClaim:
@@ -67,3 +72,9 @@ spec:
             items:
               - key: config
                 path: family.txt
+        - name: inject-test-api-k8s-script
+          configMap:
+            name: test-api-k8s-script
+            items:
+              - key: script
+                path: test-k8s-api-access.sh