in-cluster k8s api auth

[Oliver Gould]

Hi there,

I'm playing around with a kubernetes API client (I've written a small library that reads from a few API endpoints) that I'd like to run in a Pod; and now I'm trying to figure out the best way to get authentication credentials (i.e. for an Authorization header) into my application.

We're running in GKE with several namespaces.  I can see a service account and secrets for my namespace:

$ kubectl --namespace=myns describe serviceaccounts/default

Name: default
Namespace: myns
Labels: <none>
Secrets: {  default-token-psbx8    }
Tokens: default-token-psbx8

 

$ kubectl --namespace=myns describe secrets/default-token-psbx8

Name: default-token-psbx8
Namespace: myns
Labels: <none>
Annotations: kubernetes.io/service-account.name=default,kubernetes.io/service-account.uid=...
Type: kubernetes.io/service-account-token
Data
====
token: ...
ca.crt: 1139 bytes

If I understand correctly, I should be able to use this secret in my application... somehow?... to authenticate to the Kubernetes API.  I've read all of the relevant documentation/Github issues that I could find, but I feel like I'm still missing a few steps, specifically:

- how do I give a pod access to these credentials?

- how do I use these credentials to craft an Authorization header?

Any and all pointers (even "go read this source file") are appreciated!

Thanks,

--

Oliver Gould <v...@buoyant.io>

[Brendan Burns]

Hey Oliver,

You need to mount the secret into your Pod.  If you are running in GKE, this should be automatically mounted into /var/run/secrets/kubernetes.io/serviceaccount/token in your Pod.

You can then supply that token in an 'Authentication' HTTP Header with your HTTP request.

For a concrete example (in Java) please see:

https://github.com/kubernetes/kubernetes/blob/master/examples/cassandra/java/src/io/k8s/cassandra/KubernetesSeedProvider.java#L60

https://github.com/kubernetes/kubernetes/blob/master/examples/cassandra/java/src/io/k8s/cassandra/KubernetesSeedProvider.java#L122

Hope that helps!

--brendan

--
You received this message because you are subscribed to the Google Groups "Containers at Google" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-contain...@googlegroups.com.
To post to this group, send email to google-c...@googlegroups.com.
Visit this group at http://groups.google.com/group/google-containers.
For more options, visit https://groups.google.com/d/optout.

[Oliver Gould]

That's exactly what I was looking for ;)  Thanks, Brendan.

--

Oliver Gould <v...@buoyant.io>

[Oliver Gould]

What's the contract around the serviceaccount secrets.  Do long-running applications need to monitor the file for changes?  Or is it safe to assume that the credentials remain unchanged for the lifetime of the pod?

--

Oliver Gould <v...@buoyant.io>

[Brendan Burns]

They will stay the same.  They can be revoked by deleting the secret in the case of a compromise, but that's not the expected case.

Brendan