Questão 27 - Acesso Manual à API via Curl

Question 27 | Curl Manually Contact API

Use context: kubectl config use-context k8s-c1-H

There is an existing ServiceAccount secret-reader in Namespace project-hamster. Create a Pod of image curlimages/curl:7.65.3 named tmp-api-contact which uses this ServiceAccount. Make sure the container keeps running.

Exec into the Pod and use curl to access the Kubernetes Api of that cluster manually, listing all available secrets. You can ignore insecure https connection. Write the command(s) for this into file /opt/course/e4/list-secrets.sh.

---

kubectl config use-context k8s-c1-H

k run tmp-api-contact -n project-hamster --image curlimages/curl:7.65.3 --dry-run=client -o yaml --command sleep 5d > /opt/course/27/pod.yaml

vim pod.yaml

#/opt/course/27/pod.yaml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: tmp-api-contact
  name: tmp-api-contact
  namespace: project-hamster
spec:
  serviceAccountName: secret-reader
  containers:
  - image: curlimages/curl:7.65.3
    name: tmp-api-contact
    args:
    - sleep
    - 5d
    resources: {}
  dnsPolicy: ClusterFirst
  restartPolicy: Always
status: {}

Vamos aplicar...

k apply -f /opt/course/27/pod.yaml

# Vamos conferir se de fato a service account tem permissão mesmo para isso

k auth can-i get secret --as system:serviceaccount:project-hamster:secret-reader
yes

Se esse pod precisa bater na api, ele precisa se autenticar usando um token que automaticamente é montado em uma secret. Podemos usar esse token para ter acesso a api.

CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)

curl --cacert ${CACERT} https://kubernetes.default/api/v1/secrets -H "Authorization: Bearer ${TOKEN}"


# /opt/course/e4/list-secrets.sh
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
curl -k https://kubernetes.default/api/v1/secrets -H "Authorization: Bearer ${TOKEN}"