kubernetes get endpint in the containers

Question

on kubernetes vm Im running for example : kubectl get endpoints how can I get the same output inside the pod , what should I run within a pod? I understood there is a kubeapi but Im new to kubernetes can someone explain how can I use it

this is my clusterrolebinding:

---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: {{ template "elasticsearch.fullname" . }}
  labels:
    app: {{ template "elasticsearch.name" . }}
    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
    release: "{{ .Release.Name }}"
    heritage: "{{ .Release.Service }}"
subjects:
- kind: ServiceAccount
  name: {{ template "elasticsearch.serviceAccountName.client" . }}
  namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: {{ template "elasticsearch.fullname" . }}
  apiGroup: rbac.authorization.k8s.io

clusterrole.yaml:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name:  {{ template "elasticsearch.fullname" . }}
  labels:
    app: {{ template "elasticsearch.name" . }}
    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
    release: "{{ .Release.Name }}"
    heritage: "{{ .Release.Service }}"
rules:
#
# Give here only the privileges you need
#
- apiGroups: [""]
  resources:
  - pods
  - endpoints
  verbs:
  - get
  - watch
  - list

serviceaccount:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app: {{ template "elasticsearch.name" . }}
    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
    component: "{{ .Values.client.name }}"
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  name: {{ template "elasticsearch.client.fullname" . }}

Does this answer your question? [How to run kubectl commands inside a container?](https://stackoverflow.com/questions/42642170/how-to-run-kubectl-commands-inside-a-container) — ITChap, Feb 10 '21 at 08:53

score 1 · Accepted Answer · answered Feb 10 '21 at 09:40

You don't have to have kubectl installed in pod to access the Kubernetes API. You will be ableto do it with any tool that can make HTTP requests.

The Kubernetes API is a simple HTTP REST API, and all the authentication information that you need is present in the container if it runs as a Pod in the cluster.

To get the Endpoints object named your-service from within a container in the cluster, you can do:

$ curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
  https://kubernetes.default.svc:443/api/v1/namespaces/{namespace}/endpoints/your-service

Replace {namespace} with the namespace of the your-service Endpoints resource._

To extract the IP addresses of the returned JSON pipe the output to a tool like jq:

... | jq -r '.subsets[].addresses[].ip'

IMPORTANT: The Pod from which you are executing this needs read permissions for the Endpoints resource, otherwise the API request will be denied.

You can do this by creating a ClusterRole, ClusterRoleBinding, and Service Account - set this up once:

$ kubectl create sa endpoint-reader-sa
$ kubectl create clusterrole endpoint-reader-cr --verb=get,list --resource=endpoints
$ kubectl create clusterrolebinding endpoint-reader-crb --serviceaccount=default:endpoint-reader-sa --clusterrole=endpoint-reader-cr

Next use created ServiceAccount - endpoint-reader-sa for the Pod from which you want to execute the above curl command by specifying it in the pod.spec.serviceAccountName field.

Granting permissions for any different API operations works in the same way.

Source: get-pod-ip.

And as also @ITChap mentioned similar answer: kubectl-from-inside-the-pod.

thanks that help I added my configuration inn question but I keep getting: }, "status": "Failure", "message": "endpoints is forbidden: User \"system:anonymous\" cannot list resource \"endpoints\" in API group \"\" in the namespace \default\"", "reason": "Forbidden", "details": { "kind": "endpoints" }, "code": 403 wht may be wrong here? — NoamiA, Feb 10 '21 at 10:21
Can you make sure that your kubelet is run with --authentication-token-webhook flag https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/#kubelet-authentication ? If not add it and then restart kubelet using command: sudo systemctl restart kubelet — Malgorzata, Feb 10 '21 at 10:50
I succeeded to get endpoint only in my namespaces for my service is there a way to get from all namespaces? curl -k -H "Authorization: Bearer $(cat /var/run/secrets/kubenetes.io/serviceaccount/token)" https://kubernetes.default.svc:443/api/v1/namespaces/default/endpoints/elasticsearch-client — NoamiA, Feb 10 '21 at 10:54
I think you cannot do it from within the pod, Pods are isolated in namespaces. Usually they don't have information about resources in different namespaces (simple app pod) or different pods if they don't have enough privileges. If my answer was useful please accept it and upvote to be more visible for community. — Malgorzata, Feb 10 '21 at 11:25

kubernetes get endpint in the containers

1 Answers1