In this post i would like to explain how we can invoke k8s API and receive k8s cluster information. When we develop applications, programs sometimes we will need to invoke k8s APIs to perform some complex deployment tasks and in this post we will see how we can do that step by step.
In my setup i have used Rancher desktop and k8s 1.24.3 version. Below instructions can slightly change in other versions.
First we need to create k8s user account. So for the creation of our user account, we will create service account, cluster role and cluster role binding. Please create below .yaml files for each of these resources and apply them into k8s cluster using
ServiceAccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: apk-platform
namespace: default
ClusterRole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# "namespace" omitted since ClusterRoles are not namespaced
name: apk-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
ClusterRoleBinding.yaml
apiVersion: rbac.authorization.k8s.io/v1
# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace.
kind: ClusterRoleBinding
metadata:
name: role-binding
roleRef:
kind: ClusterRole
name: apk-role
apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify more than one "subject"
- kind: ServiceAccount
name: apk-platform # "name" is case sensitive
namespace: default
Apply below 3 commands
kubectl apply -f ServiceAccount.yaml
kubectl apply -f ClusterRole.yml
kubectl apply -f ClusterRoleBinding.yaml
Set below varaible as we are going to use them in next steps
>>SERVICE_ACCOUNT=apk-platform
>>APISERVER=https://$(kubectl -n default get endpoints kubernetes --no-headers | awk '{ print $2 }')
Now we have successfullycreate service account and cluster role binding. Next we will need to get token and certificate to invoke API
To get token execute following command with provided yaml file.
Token.yaml
apiVersion: v1
kind: Secret
metadata:
name: apk-platform-token
annotations:
kubernetes.io/service-account.name: apk-platform
type: kubernetes.io/service-account-token
kubectl apply -f ClusterRoleBinding.yaml
Now you can see generated token , cert etc using below command
>>kubectl get secret "apk-platform-token" -o json
{
"apiVersion": "v1",
"data": {
"ca.crt": "XXX",
"namespace": "ZGVmYXVsdA==",
"token": "XXXX"
},
"kind": "Secret",
"metadata": {
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Secret\",\"metadata\":{\"annotations\":{\"kubernetes.io/service-account.name\":\"apk-platform\"},\"name\":\"apk-platform-token\",\"namespace\":\"default\"},\"type\":\"kubernetes.io/service-account-token\"}\n",
"kubernetes.io/service-account.name": "apk-platform",
"kubernetes.io/service-account.uid": "e546dfae-7420-425f-881e-fcdcbe7ace9f"
},
"creationTimestamp": "2022-11-09T08:07:51Z",
"name": "apk-platform-token",
"namespace": "default",
"resourceVersion": "43505",
"uid": "d2d4f3ae-aee6-4784-8a5f-fa7d1e874bfb"
},
"type": "kubernetes.io/service-account-token"
}
Now lets extract token and certificate using below commands
Extract token data into varaible
>>TOKEN=$(kubectl get secrets apk-platform-token -o json | jq -Mr '.data.token' | base64 -d)
Extract certificate information to file
>>kubectl get secret "apk-platform-token" -o json | jq -Mr '.data["ca.crt"]' | base64 -d > /tmp/ca.crt
Now we have all required information to invoke k8s API. Lets execute curl command using token and certificate we obtained as follows.
curl -s $APISERVER/openapi/v2 --header "Authorization: Bearer $TOKEN" --cacert /tmp/ca.crt | less