1

I have a main pod that accesses and makes Kubernetes API calls to deploy other pods (the code similar below). It works fine. Now, I don't want to use the config file. I know it's possible with a service account. https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/. How do I configure a service account (e.g default service account) that allows my pod to access the APIs?

public class KubeConfigFileClientExample {
  public static void main(String[] args) throws IOException, ApiException {

    // file path to your KubeConfig
    String kubeConfigPath = "~/.kube/config";

    // loading the out-of-cluster config, a kubeconfig from file-system
    ApiClient client =
        ClientBuilder.kubeconfig(KubeConfig.loadKubeConfig(new FileReader(kubeConfigPath))).build();

    // set the global default api-client to the in-cluster one from above
    Configuration.setDefaultApiClient(client);

    // the CoreV1Api loads default api-client from global configuration.
    CoreV1Api api = new CoreV1Api();

    // invokes the CoreV1Api client
    V1PodList list = api.listPodForAllNamespaces(null, null, null, null, null, null, null, null, null);
    System.out.println("Listing all pods: ");
    for (V1Pod item : list.getItems()) {
      System.out.println(item.getMetadata().getName());
    }
  }
}
Jonas
  • 121,568
  • 97
  • 310
  • 388
Kevin N
  • 15
  • 3

1 Answers1

1

The official Java client has example for in-cluster client example.

It is quite similar to your code, you need to use a different ClientBuilder:

ApiClient client = ClientBuilder.cluster().build();

and use it like this:

    // loading the in-cluster config, including:
    //   1. service-account CA
    //   2. service-account bearer-token
    //   3. service-account namespace
    //   4. master endpoints(ip, port) from pre-set environment variables
    ApiClient client = ClientBuilder.cluster().build();

    // set the global default api-client to the in-cluster one from above
    Configuration.setDefaultApiClient(client);

    // the CoreV1Api loads default api-client from global configuration.
    CoreV1Api api = new CoreV1Api();
Jonas
  • 121,568
  • 97
  • 310
  • 388
  • Do I need to configure or add roles the "default" service account? – Kevin N Sep 27 '21 at 18:42
  • Yes, you will get errors and the error messages describes what permissions you are missing. – Jonas Sep 27 '21 at 19:12
  • I see errors below. How do I add permissions to the default service account? "Failure", "message", "Services is forbidden: User "system:serviceaccount:default:default" cannot create resource "services" in API group " in the namespace "default" ","reason":"Forbidden","details":{"kind":"services"},"code":403} :"Failure","message":"deployments.apps is forbidden: User "system:serviceaccount:default:default" cannot create resource "deployments" in API group "apps" in the namespace "default"","reason":"Forbidden","details":{"group":"apps","kind":"deployments"},"code":403} – Kevin N Sep 29 '21 at 00:52
  • See https://kubernetes.io/docs/reference/access-authn-authz/rbac/ – Jonas Sep 29 '21 at 05:54