API Server authentication

kubernetes-client / c

Official C client library for Kubernetes

Apache License 2.0

141 stars 45 forks source link

API Server authentication #201

Closed ReddyArunreddy closed 10 months ago

ReddyArunreddy commented 10 months ago

Hi,

load_kube_config(&basePath, &sslConfig, &apiKeys, NULL); / NULL means loading configuration from $HOME/.kube/config /

Here how can I connect to API sever without copying .kube/config file from the kubernetes master node.

Regards, Arunreddy.

ityuhui commented 10 months ago

Refer to https://github.com/kubernetes-client/c/issues/154#issuecomment-1284862113 please.

Option 1 or 2 is what you need.

ReddyArunreddy commented 10 months ago

Actually I'm using the c API's from within the pod.

ityuhui commented 10 months ago

Use load_incluster_config instead of load_kube_config if your program works within a pod.

 int rc = load_incluster_config(&basePath, &sslConfig, &apiKeys);

You don't need to copy the kube config as the c client library will authenticate for you by getting

/var/run/secrets/kubernetes.io/serviceaccount/token
/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

in the pod.

An example: https://github.com/kubernetes-client/c/blob/5ac5ff25e9809a92a48111b1f77574b6d040b711/examples/list_pod_incluster/main.c#L46C7-L46C7

ReddyArunreddy commented 10 months ago

Hi ,

I tried to run in cluster example but getting return value as 403.

root@ubuntu-test-6684b56c59-stdwv:~/c/examples/list_pod_incluster# make gcc main.c -g -I../../kubernetes/include -I../../kubernetes/model -I../../kubernetes/api -I../../kubernetes/config -L../../kubernetes/build -lkubernetes -lyaml -lwebsockets -L/usr/local/lib -o list_pod_incluster_bin root@ubuntu-test-6684b56c59-stdwv:~/c/examples/list_pod_incluster# ./list_pod_incluster_bin The return code of HTTP request=403 Cannot get any pod. root@ubuntu-test-6684b56c59-stdwv:~/c/examples/list_pod_incluster#

Regards, Arunreddy.

ityuhui commented 10 months ago

Can you try to debug the function load_incluster_config in your environment ?

Let's see what's wrong with it.

How to enable debugging: https://github.com/kubernetes-client/c/blob/5ac5ff25e9809a92a48111b1f77574b6d040b711/README.md?plain=1#L46-L47

ReddyArunreddy commented 10 months ago

Hi,

checked with debug enabled. load_incluster_config API returning 0 only, curl request returned 403 .

ityuhui commented 10 months ago

RBAC seems to restrict the access to the API server in the pod. You can check to see if your service account has permissions.

brendandburns commented 10 months ago

See more details on service account RBAC here: https://kubernetes.io/docs/concepts/security/service-accounts/#how-to-use

ReddyArunreddy commented 10 months ago

Using RBAC I'm able a list pods and update pod labels. using the load_incluster_config() API. Thanks @ityuhui @brendandburns