The best way to have API access to the Kubernetes cluster is through service accounts. This tutorial will guide you through the process of creating the service account, role and role binding to have API access to the kubernetes cluster

Setup Kubernetes API Access Using Service Account

Follow the steps given below for setting up the API access using the service account.

Note: If you are using GKE on Google Cloud, you might need to run the following two commands to have access to create roles and role-bindings with your gcloud user.

ACCOUNT=$(gcloud info --format='value(config.account)')
kubectl create clusterrolebinding owner-cluster-admin-binding \
    --clusterrole cluster-admin \
    --user $ACCOUNT

Step 1: Create a service account named “api-service-account”

kubectl create serviceaccount api-service-account

Step 2: Create a “clusterRole.yaml” file and copy the following contents. You can also get this yaml file from here.

Note: This YAML declaration has a role with full access to all cluster resources and a role binding to “api-service-account”. It is not recommended to create a service account with all cluster component access. You can refer to the list of resources and verbs from this page

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: api-access
rules:
  -
    apiGroups:
      - ""
      - apps
      - autoscaling
      - batch
      - extensions
      - policy
      - rbac.authorization.k8s.io
    resources:
      - componentstatuses
      - configmaps
      - daemonsets
      - deployments
      - events
      - endpoints
      - horizontalpodautoscalers
      - ingress
      - jobs
      - limitranges
      - namespaces
      - nodes
      - pods
      - persistentvolumes
      - persistentvolumeclaims
      - resourcequotas
      - replicasets
      - replicationcontrollers
      - serviceaccounts
      - services
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: api-access
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: api-access
subjects:
- kind: ServiceAccount
  name: api-service-account
  namespace: default

Step 3: Get the secret name associated with the api-service-account

kubectl get serviceaccount api-service-account  -o json | jq -Mr '.secrets[].name'

Step 4: Now, use the secret name you got in step 4 to get the base64 decoded token.

kubectl get secrets <name-of-the-secret> -o json | jq -Mr '.data.token' | base64 -D

For example,

kubectl get secrets api-service-account-token-cpf5f  -o json | jq -Mr '.data.token' | base64 -D

Step 5: Get the cluster endpoint to check the API access. The following command will display the cluster endpoint (IP, DNS).

kubectl get endpoints | grep kubernetes

Step 6: Now that you have the cluster endpoint and token for the service account, you can test the API connectivity using CURL or postman app.

For example,

curl -k  https://35.226.193.217/api/v1/namespaces -H "Authorization: Bearer eyJhbGcisdfsdfsdfiJ9.eyJpc3MiOisdfsdfVhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3sdf3BhY2UiOiJkZWZhdWx0Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImFwaS1zZXJ2aWNlsdfglkjoer876Y3BmNWYiLsdfsdfRlbTpzZXJ2aWNlYWNjb3VudDpkZWZhdWx0OmFwaS1zZXJ2aWNlLWFjY291bnQifQ.u5jgk2px_lEs3f5e5lh_UfS40fndtDKMTY5UvsdfrtsuhtgjrUj-ezrRXeLS8SLOae4DuOGGGbInSg_gIo6oO7bLHhCixWOBJNOA5gzrLVioof_kHDR8gH5crrsWoR-GSSsdfgsdfg6fA_LDOqdxzqMC0WlXt6tgHfrwIHerPPvkI6NWLyCqX9tn_akpcihd-bL6GwOKlph17l_ND710FnTkE7kBfdXtQWWxaPPe06UEmoKK9t-0gsOCBxJxViwhHkvwqetr987q9enkadfgd_2cY_CA"

ONLINE COURSE: The Complete Kubernetes Course

Learn how you can run, deploy, manage and maintain containerized Docker applications on Kubernetes

  • Learn to launch kubernetes cluster
  • Get started with Containerization of apps
  • Deploy applications on kubernetes cluster
  • Run stateful and stateless applications on containers
Setup Kubernetes API Access