0

Is it possible for an app running inside a pod to get details/metadata about its own pod. I know this can be easily achieved using downwardAPI or env variables.

Is there a third way?

I want to find out the service account and namespace of the pod without using either of these approaches. Is it possible?

G13
  • 75
  • 1
  • 1
  • 5

1 Answers1

1

Any particular reason to decouple container details ? Bear in mind that the downward api is intended to get details such as service account. Now, responding to your question i envision two possible ways to achieve your objective, kubectl and API Server. I elaborated on the kubectl approach:

Kubernetes client (kubectl)

  • Get information about your Kubernetes secret object

kubectl get secret --namespace={namespace}

Following is a sample output:

NAME                  TYPE                                  DATA      AGE
admin.registrykey     kubernetes.io/dockercfg               1         1h
default-token-2mfqv   kubernetes.io/service-account-token   3         1h
  • Get details of the service account token

kubectl get secret default-token-2mfqv --namespace={namespace} -o yaml

Following is a sample output, notice the annotations section:

apiVersion: v1
data:
 ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVRENDQWppZ0F3SUJBZ0lKQUxSSHNCazBtblM4TUEwR0NTcUdTSWIzRFFFQkN3VUFNQjh4SFRBYkJnTlYKQkFNTUZERXlOeTR3TGpBdU1VQXhORGczTWprNU1EZ3lNQjRYRFRFM01ESXhOekF5TXpnd01sb1hEVEkzTURJeApOVEF5TXpnd01sb3dIekVkTUJzR0ExVUVBd3dVTVRJM0xqQXVNQzR4UURFME9EY3lPVGt3T0RJd2dnRWlNQTBHCkNTcUdTSWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFDMTUwZWxjRXZXUDBMVFZZK09jNTl4ZG9PUCtXb08Kd3BGNGRxaGpDSDdyZGtUcGVKSE1zeW0raU4wMWxBSjNsc2UvYjB0V2h5L1A5MVZpZmpjazFpaDBldDg0eUZLawpuQWFaNVF6clJxQjk2WGZ3VVVyUElZc0RjRlpzbnAwZUlZU0xJdEhSSHQ3dlY0R3hqbG1TLzlpMzBIcW5rTWJTCmtCbU0xWEp2ZXdjVkROdE55NUE3K1RhNmJWcmt5TlpPZFFjZTkzMk0yTGZ2bUFORzI2UTRtd0x1MlAxNnZGV3EKbkdDd055OVl3Y0k2YVhpQTFSVTNLdWR5d00zZzN2aU03UVMyMXRGbkh4RzJrcU5NNHVKdWZDYnNNZ1gwd1hNQgpuZWZzZ053K0p1b2VnZzFVcHd5RmQydjVyMEpQVkxBN0N1T1d6RzVtK0RrNWNlWExOaGVwMDhxUkFnTUJBQUdqCmdZNHdnWXN3SFFZRFZSME9CQllFRkxlV3ZDOThkZFJxQ2t0eGVla2t5bnY1aCtDSU1FOEdBMVVkSXdSSU1FYUEKRkxlV3ZDOThkZFJxQ2t0eGVla2t5bnY1aCtDSW9TT2tJVEFmTVIwd0d3WURWUVFEREJReE1qY3VNQzR3TGpGQQpNVFE0TnpJNU9UQTRNb0lKQUxSSHNCazBtblM4TUF3R0ExVWRFd1FGTUFNQkFmOHdDd1lEVlIwUEJBUURBZ0VHCk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQ2Z1ZTdQcVFFR2NMUitjQ2tJMXdISHR2ei9tZWJmNndqUHBqN0oKamV5TG5aeWVZMUVZeEJDWEJEYk9BaU5BRTh6aWQrcm1Fd0w5NndtOGFweUVnbEN6aDhmU1ZoZ1dtYmZKSUNQQQpTTGdFZ1ZjOFJDQk5OdjUwWTQ4L0NXWXFZL2pjZkxYQ1VOdVU5RXhQd1BKRE9jNHhFOFg1NHZDekxzZUF3ZnQ0CmlBS0R0QzZmS0FMNXZQL3RRbHBya2FuVC9zcEVackNZV2IyZXlkRjV4U1NMKzNUbVJTeXgvUkczd1FTWEtCT3cKVGdjaWxJdFQ1WlAwQ0V2WHI1OFBMRXZKMVE1TGZ2Q0w0bkliTEEzMmVucUQ4UlZkM01VbkgxSnFpLzU4VktLQgo4SFpBb1V2bkl2SG5SNGVVbnAwMXFWVFpsS21Xc0JtbjV3MkxaS1FWMEIvVzlnSFAKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
 namespace: ZGVmYXVsdA==
 token: ZXlKaGJHY2lPaUpTVXpJMU5pSXNJblI1Y0NJNklrcFhWQ0o5LmV5SnBjM01pT2lKcmRXSmxjbTVsZEdWekwzTmxjblpwWTJWaFkyTnZkVzUwSWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXVZVzFsYzNCaFkyVWlPaUprWldaaGRXeDBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5elpXTnlaWFF1Ym1GdFpTSTZJbVJsWm1GMWJIUXRkRzlyWlc0dE1tMW1jWFlpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1dVlXMWxJam9pWkdWbVlYVnNkQ0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVnlkbWxqWlMxaFkyTnZkVzUwTG5WcFpDSTZJbVJtTkRReFl6WTVMV1kwWW1FdE1URmxOaTA0TVRVM0xUVXlOVFF3TURJeU5XSTFNeUlzSW5OMVlpSTZJbk41YzNSbGJUcHpaWEoyYVdObFlXTmpiM1Z1ZERwa1pXWmhkV3gwT21SbFptRjFiSFFpZlEuWlN4MTNtY3JPcEwteVFmQWtTV05Ja0VELUIxeTNnckJTREg0Z1lwMnNkb2FZNXBSaWMxc3hXWjRDb0M0YVlnN3pzc09oWHk0NDc5VTh6RTVmVmZ3eFdCSXVWUDVoTEJwWTFHOWhlMzZzSkw1dEpjY2dqSVZhaTFZcHUtQld0dERkRFhnUVZXSHZtQmt0STVPaG1GMTFoWFNqd05VUDhYb2NNY1lKMzZUcFZxbkZCLUZaZ1RnN2h5eWdoclN4MnZTTThHNWhPMWlEdXFFbGlrNTUzQy1razVMTGFnc01DRVpkblBKM2tFb0dzX3hoTVVsaDc3OEkweTMwV3FwYW9uOHBLS1I1NjIzMjd6eTdXNGY0UnJhc3VPSGZwUGE3SVE5cU1ub21fcWxBcWxDQ3lXVEkyV3dxQ09xdnNHUmdNUHJjemc3WnYzLWlXRktBaVc3ZU5VYnVR
kind: Secret
metadata:
 annotations:
   kubernetes.io/service-account.name: default
   kubernetes.io/service-account.uid: df441c69-f4ba-11e6-8157-525400225b53
 creationTimestamp: 2017-02-17T02:43:33Z
 name: default-token-2mfqv
 namespace: default
 resourceVersion: "37"
 selfLink: /api/v1/namespaces/default/secrets/default-token-2mfqv
 uid: df5f1109-f4ba-11e6-8157-525400225b53
type: kubernetes.io/service-account-token

Theres a complete document here

jmvcollaborator
  • 2,141
  • 1
  • 6
  • 17
  • I am not sure if I understood your response correctly. Here you assumed that i know the namespace. Well my application runs inside a container of course. The question is, does it know anything about itself without any external intervention or can it find anything about itself using the service account token which it has access to? – G13 Apr 13 '23 at 02:42
  • 1
    by external intervention you mean, get namespaces, secret, etc. correct? if that is what you are pointing im tempted to say that it is not possible. what are your constraints for the downard api since is the responsable to provide what you are looking for without any intervention. – jmvcollaborator Apr 13 '23 at 02:48
  • something that comes up to my mind is to execute the commands above (yes unfortunately knowing namespace,secret beforehand) on a shell script at deploy definition time using initContainers section. – jmvcollaborator Apr 13 '23 at 02:49
  • 1
    My constraint was that I was working on an open source project and the less intrusive I am with their pod specs/configuration, the better it is. By the way I realised that I could find the information that I was looking for(ns and sa) from the service account token mounted on my pod. By decoding & parsing the jwt, I could see the namespace and serviceAccount info under the custom claim "kubernetes.io". Thanks for your support though @jmvcollaborator – G13 Apr 13 '23 at 05:56