According to Kubernetes documentation, you can ping an http endpoint for a K8s cluster to operate it instead of using e.g. kubectl. It also says that there is an openApi interface available at /openapi/v2. I'm running minikube on MacOS and would like to check it out. Does anyone know if that is possible?
I tried:
minikube list service # Shows 'kubernetes' as a name
minikube list kubernetes
... which opens the browser to 127.0.0.1:51377. However, when I try going to https://127.0.0.1:51377/openapi/v2 I get the message:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/openapi/v2\"",
"reason": "Forbidden",
"details": {},
"code": 403
}
... suggesting that I need some sort of authorization solution. Suggestions?
This worked for me:
# Proxy minikube to localhost on arbitrary port:
kubectl proxy --port=12345
# Now swagger.json is available at localhost:12345/openapi/v2
# Save to /tmp/temp/json and serve with e.g. docker swagger-ui container
curl localhost:12345/openapi/v2 > /tmp/temp.json
docker run -it -p 9999:8080 -e SWAGGER_JSON=/var/specs/temp.json -v /tmp/temp.json:/var/specs/temp.json swaggerapi/swagger-ui
# Open browser to localhost:9999
Related
Installing keycloak on minikube works fine after following https://www.keycloak.org/getting-started/getting-started-kube.
But when I try on Azure Kubernetes Service; I am getting following response on browser for URL https://keycloak.10.18.80.36.nip.io/ OR https://keycloak.10.18.80.36.nip.io/admin
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
I am not even getting screen to put in username and password. Help is appreciated. Also, when I was accessing from browser it was giving SSL error; so I proceed with Not secure. I am using IP of AKS "API server address"
I was finally able to solve it to great extent.
Use helm chart. Good part of using helm charts is that it also creates postgres which takes care of persistence layer. Otherwise whenever pod is deleted all users will go away.
helm repo add azure-marketplace https://marketplace.azurecr.io/helm/v1/repo
helm install keycloak-helm azure-marketplace/keycloak
Now check the Service ( Load Balancer ) external IP and use it to access on browser. This was the key part. as we don't have minikube so we cannot use $ minikube ip
On browser you can login using following credentials:
Username: user
echo Password: $(kubectl get secret --namespace default keycloak-helm -o jsonpath="{.data.admin-password}" | base64 --decode)
apHc7vK5vL
Trying to retrieve details of the kubernetes cluster like namespaces and pod details using kubernetes API
following doc
API:
<publicServiceEndpointURL>/api/v1/namespaces
Headers:
Authorization: bearer <id_token>
<id_token> - An IAM token generated.
will get an certificate error on postman with SSL certificate enabled else throwing 403 Forbidden error
Error: unable to verify the first certificate
Result with disabling SSL certificate verification.
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "namespaces is forbidden: User \"system:anonymous\" cannot list resource \"namespaces\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "namespaces"
},
"code": 403
}
Tried with curl and will result in same error
curl -k <publicServiceEndpointURL>/api/v1/namespaces -H "Authorization: Bearer <token>"
Error on chrome with API call
net::ERR_CERT_AUTHORITY_INVALID
How will i able to access this API?
Do you have the right permissions to list namespaces in the cluster? If you log in as the same user via the CLI, for example, can you run kubectl get namespaces? It looks like a permissions error. The user would need IBM Cloud IAM Reader service role (which gives you RBAC view role) for all namespaces in the cluster.
I have following Kubernetes REST API request
GET https://theserver/api/v1/pods?includeUninitialized=true
and included following HTTP Headers in the request:
Authorization: Basic ***************
Accept: application/json, */*
User-Agent: kubectl.exe/v1.13.0 (windows/amd64) kubernetes/ddf47ac
Result is the following error
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
I already tried the following:
Analog kubectl request "kubectl describe pods --all-namespaces" works fine (but I need REST)
Used "--v=12" parameter as in newkind101's comment to Kubernetes REST API to see the underlying REST API calls - looks same as mine
Read Kubernetes Documentation - but I failed to find detail information which HTTP headers or/and HTTP body values to send to authenticate properly (few thing I could retrieve from curl sample calls in that docs)
I read Access Kubernetes API using REST APIs but want to understand my issue before I use a framework like GoDaddy
kubectl seems to do a bit more than I can see with the "--v=12" parameter. This bit is likely connected to things in ".kube/config" file. Still I don't know what exactly and where to put in my HTTP request.
As far as I remember Basic authentication method is disabled by default and needs to be enabled by adding --basic-auth-file flag to the API server configuration, therefore all requests to REST API are identified as anonymous user and might be resulted in 401 Unauthorized error.
I am using GCP Container Engine in my project and now I am facing some issue that I don't know if it can be solved via secrets.
One of my deployments is node-js app server, there I use some npm modules which require my GCP service account key (.json file) as an input.
The input is the path where this json file is located. Currently I managed to make it work by providing this file as part of my docker image and then in the code I put the path to this file and it works as expected. The problem is that I think that it is not a good solution because I want to decouple my nodejs image from the service account key because the service account key may be changed (e.g. dev,test,prod) and I will not be able to reuse my existing image (unless I will build and push it to a different registry).
So how could I upload this service account json file as secret and then consume it inside my pod? I saw it is possible to create secrets out of files but I don't know if it is possible to specify the path to the place where this json file is stored. If it is not possible with secrets (because maybe secrets are not saved in files...) so how (and if) it can be done?
You can make your json file a secret and consume in your pod. See the following link for secrets (http://kubernetes.io/docs/user-guide/secrets/), but I'll summarize next:
First create a secret from your json file:
kubectl create secret generic nodejs-key --from-file=./key.json
Now that you've created the secret, you can consume in your pod (in this example as a volume):
{
"apiVersion": "v1",
"kind": "Pod",
"metadata": {
"name": "nodejs"
},
"spec": {
"containers": [{
"name": "nodejs",
"image": "node",
"volumeMounts": [{
"name": "foo",
"mountPath": "/etc/foo",
"readOnly": true
}]
}],
"volumes": [{
"name": "foo",
"secret": {
"secretName": "nodejs-key"
}
}]
}
}
So when your pod spins up the file will be dropped in the "file system" in /etc/foo/key.json
I think you deploy on GKE/GCE, you don't need the key and it's going to work fine.
I've only tested with Google Cloud Logging but it might be the same for other services as well.
Eg: i only need the below when deploying app on gke/gce
var loggingClient = logging({
projectId: 'grape-spaceship-123'
});
I want to set multiple accounts to only have access only to owned namespace, we try with authorization mode ABAC but we get when use kubectl "error: couldn't read version from server: the server does not allow access to the requested ressource" and it seems to be a bug. Is theire other way to do it ?
Before attempting to access your resources, kubectl first makes requests to the server's /version and /api endpoints to confirm compatibility and negotiate API version. In ABAC, the /version and /api endpoints are considered "nonResourcePaths", but those also require authorization. You can add a rule to your ABAC file allowing all users readonly access to nonResourcePaths as follows:
{"apiVersion": "abac.authorization.kubernetes.io/v1beta1", "kind": "Policy", "spec": {"user":"*", "nonResourcePath": "*", "readonly": true}}
From there, you can make it more restrictive if you need to.