Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chapter8 in pod cannot access APIServer #25

Closed
lith-angelo opened this issue May 4, 2020 · 5 comments
Closed

Chapter8 in pod cannot access APIServer #25

lith-angelo opened this issue May 4, 2020 · 5 comments

Comments

@lith-angelo
Copy link

I entered the pod and I've already had my token set. But why there's a 403 status code when accessing APIServer?
image
@knrt10
Copy link

knrt10 commented May 31, 2020

@WhsYourDaddy do this inside your container

APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt

curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api

This will work

@lith-angelo
Copy link
Author

@WhsYourDaddy do this inside your container

APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt

curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api

This will work

I tried it and yeah it worked, which means I can access the /api/ directory. However, I still cannot access the root directory.

root@curl:/# curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {

},
"status": "Failure",
"message": "forbidden: User "system:serviceaccount:default:default" cannot get path "/"",
"reason": "Forbidden",
"details": {

},
"code": 403
}root@curl:/# curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.99.100:8443"
}
]
}

@knrt10
Copy link

knrt10 commented Jun 15, 2020
edited
Loading

@WhsYourDaddy you need to clusterrolebinding to your service account. Use this command and it fix the issue. This will give all the access your API

kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default

To explain a little bit. By default your pods use default service account. You can get it by

kc get sa

This will list all your service accounts. You can describe and see the Mountable secrets will be somewhat like default-token-nqrs.

Not when you describe this secret

kc describe secrets default-token-nqrs9

You will notice that it has token will be same as cat /var/run/secrets/kubernetes.io/serviceaccount/token in your pod

So you need to create clusterrolebinding to your service account. Clusterrole cluster-admin has all the access. If you want to create service based role. You need to first create a clusterrole and then bind that to your clusterrole. Example shown below.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pods-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
  • First create a cluster role kc apply -f cluterrole.yaml

Now bind the above created clusterrole.

kc create clusterrolebinding pods-reader-pod --clusterrole=pods-reader --serviceaccount=default:default

Here first default is your namespace and second default is token

Now when inside container you can do curl localhost:8001/api/v1/pods and it list the API.

@lith-angelo
Copy link
Author

@WhsYourDaddy you need to clusterrolebinding to your service account. Use this command and it fix the issue. This will give all the access your API

kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default

To explain a little bit. By default your pods use default service account. You can get it by

kc get sa

This will list all your service accounts. You can describe and see the Mountable secrets will be somewhat like default-token-nqrs.

Not when you describe this secret

kc describe secrets default-token-nqrs9

You will notice that it has token will be same as cat /var/run/secrets/kubernetes.io/serviceaccount/token in your pod

So you need to create clusterrolebinding to your service account. Clusterrole cluster-admin has all the access. If you want to create service based role. You need to first create a clusterrole and then bind that to your clusterrole. Example shown below.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pods-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
  • First create a cluster role kc apply -f cluterrole.yaml

Now bind the above created clusterrole.

kc create clusterrolebinding pods-reader-pod --clusterrole=pods-reader --serviceaccount=default:default

Here first default is your namespace and second default is token

Now when inside container you can do curl localhost:8001/api/v1/pods and it list the API.

After setting the cluster-admin clusterrole, accessing the root path is allowed.Thanks a lot!

@knrt10
Copy link

knrt10 commented Jun 16, 2020

Cool, hope this helped, you can close this issue now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@knrt10 @lith-angelo