Chapter8 in pod cannot access APIServer

Question

Chapter8 in pod cannot access APIServer

lith-angelo opened this issue 5 years ago · 5 comments

I entered the pod and I've already had my token set. But why there's a 403 status code when accessing APIServer?

Answer 1 · 2020-05-31T10:33:00.000Z

@WhsYourDaddy do this inside your container

APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt

curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api

This will work

Answer 2 · 2020-05-31T11:44:14.000Z

@WhsYourDaddy do this inside your container

APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt

curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api

This will work

I tried it and yeah it worked, which means I can access the /api/ directory. However, I still cannot access the root directory.

root@curl:/# curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {

},
"status": "Failure",
"message": "forbidden: User "system:serviceaccount:default:default" cannot get path "/"",
"reason": "Forbidden",
"details": {

},
"code": 403
}root@curl:/# curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "192.168.99.100:8443"
}
]
}

Answer 3 · 2020-06-15T22:22:22.000Z

@WhsYourDaddy you need to clusterrolebinding to your service account. Use this command and it fix the issue. This will give all the access your API

kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default

To explain a little bit. By default your pods use default service account. You can get it by

kc get sa

This will list all your service accounts. You can describe and see the Mountable secrets will be somewhat like default-token-nqrs.

Not when you describe this secret

kc describe secrets default-token-nqrs9

You will notice that it has token will be same as cat /var/run/secrets/kubernetes.io/serviceaccount/token in your pod

So you need to create clusterrolebinding to your service account. Clusterrole cluster-admin has all the access. If you want to create service based role. You need to first create a clusterrole and then bind that to your clusterrole. Example shown below.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pods-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

First create a cluster role kc apply -f cluterrole.yaml

Now bind the above created clusterrole.

kc create clusterrolebinding pods-reader-pod --clusterrole=pods-reader --serviceaccount=default:default

Here first default is your namespace and second default is token

Now when inside container you can do curl localhost:8001/api/v1/pods and it list the API.

Answer 4 · 2020-06-15T23:40:23.000Z

@WhsYourDaddy you need to clusterrolebinding to your service account. Use this command and it fix the issue. This will give all the access your API
kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=default:default
To explain a little bit. By default your pods use default service account. You can get it by

kc get sa

This will list all your service accounts. You can describe and see the Mountable secrets will be somewhat like default-token-nqrs.

Not when you describe this secret

kc describe secrets default-token-nqrs9

You will notice that it has token will be same as cat /var/run/secrets/kubernetes.io/serviceaccount/token in your pod

So you need to create clusterrolebinding to your service account. Clusterrole cluster-admin has all the access. If you want to create service based role. You need to first create a clusterrole and then bind that to your clusterrole. Example shown below.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: default
  name: pods-reader
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
First create a cluster role kc apply -f cluterrole.yaml

Now bind the above created clusterrole.

kc create clusterrolebinding pods-reader-pod --clusterrole=pods-reader --serviceaccount=default:default

Here first default is your namespace and second default is token

Now when inside container you can do curl localhost:8001/api/v1/pods and it list the API.

After setting the cluster-admin clusterrole, accessing the root path is allowed.Thanks a lot!

Answer 5 · 2020-06-16T01:16:28.000Z

Cool, hope this helped, you can close this issue now.