Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Help with API Call #2844

Closed
procheeseburger opened this issue Jan 17, 2022 · 0 comments
Closed

Help with API Call #2844

procheeseburger opened this issue Jan 17, 2022 · 0 comments

Comments

@procheeseburger
Copy link

procheeseburger commented Jan 17, 2022

looking for some help with my setup. I have an external application that needs to make an API call to my cluster. I'm currently running Microk8s v1.22.5-3+66632586920c77

I have my API Server: https://10.10.40.11:16443

I've created a Service account:

- Name: pan-plugin-user
- Namespace: kube-system
- Labels: app=pan-plugin
- Annotations: <none>
- Image pull secrets: <none>
- Mountable secrets: pan-plugin-user-token-ccqrr

I've added the token to the application and when I try to validate I get: "Failed to get Pods. Max retry exceeded. Error: SSL certificate error"

MicroK8s says that it consolidated a few services into daemon-kubelite

Used in release 1.21 and later. The kubelite daemon runs as subprocesses the scheduler, controller, proxy, kubelet, and apiserver services. Each of these individual services can be configured using arguments in the matching ${SNAP_DATA}/args/ directory:

- scheduler ${SNAP_DATA}/args/kube-scheduler
- controller ${SNAP_DATA}/args/kube-controller-manager
- proxy ${SNAP_DATA}/args/kube-proxy
- kubelet ${SNAP_DATA}/args/kubelet
- apiserver ${SNAP_DATA}/args/kube-apiserver

Also it seems like I'm using one of the approved K8s auth methods: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies

The app has me generate a Service Account:

$ k describe sa -n kube-system pan-plugin-user

- Name:                pan-plugin-user
- Namespace:           kube-system
- Labels:              app=pan-plugin
- Annotations:         <none>
- Image pull secrets:  <none>
- Mountable secrets:   pan-plugin-user-token-zr7xq
- Tokens:              pan-plugin-user-token-zr7xq
- Events:              <none>

which has a secret:

$ k describe secret -n kube-system pan-plugin-user-token-zr7xq

- Name:         pan-plugin-user-token-zr7xq
- Namespace:    kube-system
- Labels:       <none>
- Annotations:  kubernetes.io/service-account.name: pan-plugin-user
- kubernetes.io/service-account.uid: removed
- Type:  kubernetes.io/service-account-token
- Data
- ====
- ca.crt:     1123 bytes
- namespace:  11 bytes
- token: Removed

And then it generates a cred.json file:

kubectl -n kube-system get secrets -o json >> cred.json

- {
- "apiVersion": "v1",
- "data": {
- "ca.crt": "REMOVED",
- "namespace": "a3ViZS1zeXN0ZW0=",
- "token": "REMOVED"
- },
- "kind": "Secret",
- "metadata": {
- "annotations": {
- "kubernetes.io/service-account.name": "pan-plugin-user",
- "kubernetes.io/service-account.uid": "REMOVED"
- },
- "creationTimestamp": "2022-01-17T16:49:33Z",
- "name": "pan-plugin-user-token-zr7xq",
- "namespace": "kube-system",
- "resourceVersion": "1447233",
- "selfLink": "/api/v1/namespaces/kube-system/secrets/pan-plugin-user-token-zr7xq",
- "uid": "REMOVED"
- },
- "type": "kubernetes.io/service-account-token"
- }

So the file has the ca.crt in there, I feel like that should work for the auth

If I look at:

$ microk8s config

apiVersion: v1
clusters:
- cluster:
certificate-authority-data: "THIS CERT"

matches the one in the json file.

inspection-report-20220117_121858.tar.gz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant