Sam Perrin TIL Blog

Kubernetes - Create Cluster Role for API Access

September 16, 2019

First create the service account - where “api-service-account” is the name of the account.

kubectl create serviceaccount api-service-account

Create a yml file which will contain your ClusterRole and ClusterRoleBinding. If using a name other than “api-service-account”, make sure to replace the entries for it in the below yml to match your account name.

vi apiRole.yml

I used this as a reference for ClusterRoles, in the example below I copied the “Read All” role https://github.com/devopscube/kubenetes-rbac-resources-verbs/blob/master/README.md

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: api-access
rules:
  -
    apiGroups:
      - ""
      - apps
      - autoscaling
      - batch
      - extensions
      - policy
      - rbac.authorization.k8s.io
    resources:
      - componentstatuses
      - configmaps
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingress
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - persistentvolumes
      - persistentvolumeclaims
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: api-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: api-access
subjects:
- kind: ServiceAccount
  name: api-service-account
  namespace: default

Apply the apiRole.yml

kubectl apply -f apiRole.yml

Use jq and kubectl to get the secret name for “api-service-account”. We are sending the output in to a variable called SECRET

SECRET="$(kubectl get serviceaccount api-service-account -o json | jq -r '.secrets[].name')"

Use jq and kubectl again to get the value from the secret and decode it

TOKEN="$(kubectl get secrets $SECRET -o json | jq -r '.data.token' | base64 --decode)"

If jq doesn’t work, remove everything from the pipe onwards to output the account information, and make note of the first entry in sercrets. Then use this value in the second command to get the token:

kubectl get serviceaccount api-service-account -o json kubectl get secrets <secrets[].name entry from first command> -o json

Copy data.token value and pipe it to base64 —decode (wrap the token in "")

echo "<data.token value>" | base64 --decode

Get cluster API endpoint

kubectl get endpoints | grep kubernetes

Send an API request to your endpoint, and use Bearer Token for authorisation.

This will get the openapi spec: (probably better used in something like Postman, or the output pasted into https://mrin9.github.io/OpenAPI-Viewer)

curl -k https://<endpoint-IP-or-FQDN>/openapi/v2 -H "Authorization: Bearer <token>"

This will get the nodes in the cluster

curl -k https://<endpoint-IP-or-FQDN>/api/v1/nodes -H "Authorization: Bearer <token>"

This will get the pods in the cluster

curl -k https://<endpoint-IP-or-FQDN>/api/v1/pods -H "Authorization: Bearer <token>"


Sam Perrin

Written by Sam Perrin who loves all things Automation related! You should follow him on Twitter