Access to metric-server from a pod

Question

I have deployed the metric-server on my kubernetes cluster and it's just working fine as I run the following command:

kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes

I want to access the metric-server from a pod. For that, I use the service/metric-server's IP and it is in the same namespace that the metric-server is. The way I'm trying to access to the metric is like this:

    myurl := fmt.Sprintf("https://%s:%s/apis/metrics.k8s.io/v1beta1/nodes/", serviceHost, servicePort)
    u, err := url.Parse(myurl)
    if err != nil {
        panic(err)
    }
    req, err := http.NewRequest(httpMethod, u.String(), nil)
    if err != nil {
        log.Printf("Cant sned req: %s", err)
    }
    caToken, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/token")
    if err != nil {
        panic(err) // cannot find token file
    }

    req.Header.Set("Content-Type", "application/json")
    req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", string(caToken)))

    caCertPool := x509.NewCertPool()
    caCert, err := ioutil.ReadFile("/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
    if err != nil {
        panic(err)
    }
    caCertPool.AppendCertsFromPEM(caCert)

    client := &http.Client{
        Transport: &http.Transport{
            TLSClientConfig: &tls.Config{
                RootCAs: caCertPool,
            },
        },
    }

    resp, err := client.Do(req)
    if err != nil {
        log.Printf("sending helm deploy payload failed: %s", err.Error())
        panic(err)
    }

This is not working nad the logs result for the pod is:

Get https://METRIC-SERVER-SERVICE-IP/apis/metrics.k8s.io/v1beta1/nodes: x509: certificate is valid for 127.0.0.1, not METRIC-SERVER-SERVICE-IP

Is this the right way to access the metric-server from a pod?

This error looks certificate related although the message is a little confusing. While i'm going cross namespace, I have done a curl test to the metrics-server-service which results in a cert error. I then add the `--insecure` flag which gets an forbidden error which i'd expect. Hopefully this points you in the right direction. — leeman24, Oct 31 '19 at 18:38
You should go over [Access Clusters Using the Kubernetes API](https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#accessing-the-api-from-a-pod) as it explains how to properly use Kubernetes API in number of examples and languages. — Crou, Nov 04 '19 at 15:12

score 1 · Answer 1 · answered Nov 01 '19 at 12:21

1

what i did so i can access the metrics-server on a local deployment:

set proper rbac
inside the pod : export CURL_CA_BUNDLE=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt curl -H "Authorization: Bearer $TOKEN" -k https://10.100.123.57/apis/metrics.k8s.io/v1beta1/nodes

answered Nov 01 '19 at 12:21

iliefa

774
4
9

I used [this](https://stackoverflow.com/questions/30690186/how-do-i-access-the-kubernetes-api-from-within-a-pod-container/49801664#49801664) that reads the ca.crt file, but, it's not working and I get the same log `x509: certificate is valid for 127.0.0.1, not METRIC-SERVER-SERVIC-IP` – mR.aTA Nov 01 '19 at 15:18

Access to metric-server from a pod

1 Answers1