Extra Question 2

Manually Accessing the Kubernetes API with a ServiceAccount Using Curl

Accessing the Kubernetes API manually can be a powerful way to interact with your cluster and understand its internals. In this guide, we’ll walk through the process of creating a Pod that uses a specific ServiceAccount and then using curl to access the Kubernetes API, listing all available secrets.

Step 1: Creating the Pod with a ServiceAccount

First, we need to create a Pod that will use the secret-reader ServiceAccount in the project-hamster namespace. We’ll use the curlimages/curl:7.65.3 image for this Pod.

Start by generating the Pod YAML file:

Edit the e2.yaml file to include the ServiceAccount and Namespace:

Apply the configuration to create the Pod:

Step 2: Executing into the Pod

Now that the Pod is running, we’ll exec into it to manually contact the Kubernetes API:

Step 3: Manually Contacting the Kubernetes API

Inside the Pod, we can use curl to interact with the Kubernetes API. The API server is usually accessible via the kubernetes.default Service in the default namespace.

Start by trying to access the API:

The last command returns a 403 Forbidden error because we haven’t provided any authentication. By default, Kubernetes treats the request as coming from system:anonymous. We need to use the ServiceAccount token to authenticate.

Step 4: Using the ServiceAccount Token to Authenticate

To authenticate, we’ll use the token associated with the secret-reader ServiceAccount, which is mounted in the Pod at /var/run/secrets/kubernetes.io/serviceaccount/token.

This command should return a list of all secrets in the cluster, confirming that we are now authenticated as the secret-reader ServiceAccount.

If you want to use the CA certificate for a secure connection, you can use the following command:

Step 5: Verifying Permissions

You can also verify whether the secret-reader ServiceAccount has the necessary permissions using the following command:

If the output is yes, the ServiceAccount has the required permissions to list secrets.

Step 6: Writing the Commands to a Script

Finally, save the commands into a script file for easy reference:

Conclusion

Manually contacting the Kubernetes API using curl provides valuable insights into how Kubernetes API authentication works. By following these steps, you can explore and interact with your cluster in a more granular and controlled manner, leveraging ServiceAccounts for secure access.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *