0

Lets say I need to access my kubernetes API directly by address, e.g. https://1.2.3.4:6443.

So I create a service account, a token and a role binding, like this:

apiVersion: "v1"
kind: "Namespace"
metadata:
  name: "test"
---
apiVersion: "v1"
kind: "ServiceAccount"
metadata:
  name: "test"
  namespace: "test"
secrets:
  - name: "test-token"
---
apiVersion: "v1"
kind: "Secret"
metadata:
  name: "test-token"
  namespace: "test"
  annotations:
    kubernetes.io/service-account.name: "test"
type: "kubernetes.io/service-account-token"
---
kind: "ClusterRoleBinding"
apiVersion: "rbac.authorization.k8s.io/v1"
metadata:
  name: "test-kubelet-api-admin"
roleRef:
  kind: "ClusterRole"
  name: "system:kubelet-api-admin"
  apiGroup: "rbac.authorization.k8s.io"
subjects:
  - kind: "ServiceAccount"
    name: "test"
    namespace: "test"

Then, for manual testing, I extract the token (kubectl describe secret -n test test-token) and use it in a curl command like this:

$ curl --insecure --header "Authorization: Bearer [...]" https://1.2.3.4:6443

No matter what roles I assign to the service account, I always get this authentication/authorization error:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
  "reason": "Forbidden",
  "details": {},
  "code": 403
}

What am I doing wrong? What do I need to do to make this work? What roles or role bindings do I need? Can someone help?

I expect to successfully get a non-error response from the Kubernetes API.

morot
  • 1
  • 1
  • 1
    That's strange. I've copied all of the resources that you've created and it works for me `(User \"system:serviceaccount:test:test\" cannot get path \"/\"")`. Are you sure the `curl` command is 100% right? Are you passing it by variable or it's just a direct paste? – Dawid Kruk Feb 23 '23 at 18:02

0 Answers0