-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chapter8 in pod cannot access APIServer #25
Comments
@WhsYourDaddy do this inside your container APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api This will work |
I tried it and yeah it worked, which means I can access the /api/ directory. However, I still cannot access the root directory. root@curl:/# curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER} }, }, |
@WhsYourDaddy you need to clusterrolebinding to your service account. Use this command and it fix the issue. This will give all the access your API kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default To explain a little bit. By default your pods use
This will list all your service accounts. You can describe and see the Not when you describe this secret
You will notice that it has token will be same as So you need to create clusterrolebinding to your service account. Clusterrole kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: default
name: pods-reader
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]
Now bind the above created clusterrole.
Here first default is your namespace and second default is token Now when inside container you can do |
After setting the cluster-admin clusterrole, accessing the root path is allowed.Thanks a lot! |
Cool, hope this helped, you can close this issue now. |
I entered the pod and I've already had my token set. But why there's a 403 status code when accessing APIServer?
The text was updated successfully, but these errors were encountered: