kubernetes
pod에서 kube api 액세스
misankim
2023. 3. 7. 00:39
pod에서 kube api 액세스
# role, rolebinding, serviceaccount 정의
vim role-test.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: role-test
namespace: sample-rollout
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: role-test
namespace: sample-rollout
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: role-test
subjects:
- kind: ServiceAccount
name: role-test
namespace: sample-rollout
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: role-test
namespace: sample-rollout
(참고) pod 및 cronjob 정보 액세스를 위한 권한
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: role-test2
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- get
- list
# 파드 내부에서 kube api 액세스
-> 파드가 role-test k8s 서비스 어카운트를 사용하도록 매니페스트 구성하여 배포
kube api 관련 환경변수 정의
APISERVER=https://kubernetes.default.svc
SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace)
TOKEN=$(cat ${SERVICEACCOUNT}/token)
CACERT=${SERVICEACCOUNT}/ca.crt
kube api 액세스 테스트
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api
출력
{
"kind": "APIVersions",
"versions": [
"v1"
],
"serverAddressByClientCIDRs": [
{
"clientCIDR": "0.0.0.0/0",
"serverAddress": "10.0.0.182:443"
}
]
}
파드 자신의 정보 확인
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/pods/${HOSTNAME}
curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/${NAMESPACE}/pods/${HOSTNAME} | jq -r .status.containerStatuses