4

I’ve a config map which I need to read from K8S via api

I Created a cluster role

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: zrole
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list"]

and cluster role binding

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: z-role-binding
subjects:
- kind: Group
  name: system:serviceaccounts
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: zrole

Config Map

apiVersion: v1
kind: ConfigMap
metadata:
  name: z-config
  namespace: fdrs
data:
  avr: client1
  fuss: xurbz

The code is used like

clientSet.CoreV1().ConfigMaps(uNamespcae)

when I run the code locally (and provide to the the GO api the kubeconfig) I was able to get the config map data, However when I run the code inside the cluster I got error: invalid token , any idea what am I missing here?

Improve this question
4
  • Have you attached a service account to the pod? Commented Dec 8, 2019 at 9:49
  • @zerkms - it runs from local without service-account, is this a must to use machinary permmission in this case? if yes please provide it as answer and i’ll close the question . thanks Commented Dec 8, 2019 at 10:04
  • I think it is related to kubeconfig not being set properly. Do you set KUBECONFIG environment variable? Commented Dec 8, 2019 at 11:26
  • @Jonlib "it runs from local without service-account" --- that's a weak argument. To interact with API you need a valid token. If you have created a zrole role - you must create a service account and attach it to a container. Commented Dec 8, 2019 at 19:24

1 Answer 1

Reset to default
2

Check automountServiceAccountToken in the pod spec. By default it's set to true, but maybe you have it disabled.

Use the official GO client. It reads the correct configuration and tokens by default. https://github.com/kubernetes/client-go/blob/master/examples/in-cluster-client-configuration/main.go

If you don't use it, then use the correct configuration: https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#directly-accessing-the-rest-api-1

Check the token in the pod: /var/run/secrets/kubernetes.io/serviceaccount/token and use the kubernetes service.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks! you write to check the automountServiceAccountToken and the path to the token , could you please write how to do it from the cli ?
By checking automountServiceAccountToken I mean to check your yaml files. Just look for it. If you can not find it, most likely it is enabled. The token could be checked very easily. Just "exec" into the pod and see if the files are there: kubectl exec -it <pod-name> sh. Then ls /var/run/secrets/kubernetes.io/serviceaccount/token.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.