Skip to content
Icon

viewer Service Account Check

Profile Avatar

Icon 1 1 Troubleshooting Commands

Icon 1 Last updated 13 weeks ago

Icon 1 Contributed by stewartshea



Troubleshooting Commands

Test Service Account Access to Kubernetes API Server in Namespace viewer

What does it do?

This command is used to set up a pod in Kubernetes that runs a curl command to make an API request, using a specified service account and namespace. It waits for the pod to be running and then cleans up after the request is made.

Command
apiserver=https://kubernetes.default.svc; namespace=viewer; context=gke_runwhen-nonprod-sandbox_us-central1_sandbox-cluster-1-cluster; resource=""; serviceaccount=default; kubectl run curl-pod --image=curlimages/curl:latest --restart=Never --overrides="{ \"spec\": { \"serviceAccountName\": \"$serviceaccount\" } }" -n $namespace --context=$context --command -- sleep infinity && echo "Waiting for the curl-pod to be running..." && kubectl wait --for=condition=Ready pod/curl-pod --timeout=20s -n $namespace --context=$context && TOKEN=$(kubectl exec curl-pod -n $namespace --context=$context -- cat /var/run/secrets/kubernetes.io/serviceaccount/token) && echo "Performing a curl request to the Kubernetes API..." && kubectl exec curl-pod -n $namespace --context=$context -- curl -s -k -H "Authorization: Bearer $TOKEN" $apiserver$resource && echo "Cleaning up..." && kubectl delete pod curl-pod -n $namespace --context=$context && echo "Done"
IconCopy to clipboard Copied to clipboard

Learn more

This multi-line content is auto-generated and used for educational purposes. Copying and pasting the multi-line text might not function as expected.

# Set the variables for the API server, namespace, context, resource, and service account
apiserver=https://kubernetes.default.svc
namespace=${NAMESPACE}
context=${CONTEXT}
resource=""
serviceaccount=${SERVICE_ACCOUNT}

# Create a pod running the curl container with specified service account and wait for it to be running
kubectl run curl-pod --image=curlimages/curl:latest --restart=Never --overrides="{ \"spec\": { \"serviceAccountName\": \"$serviceaccount\" } }" -n $namespace --context=$context --command -- sleep infinity && echo "Waiting for the curl-pod to be running..." && kubectl wait --for=condition=Ready pod/curl-pod --timeout=20s -n $namespace --context=$context

# Retrieve the token from the service account and perform a curl request to the Kubernetes API
TOKEN=$(kubectl exec curl-pod -n $namespace --context=$context -- cat /var/run/secrets/kubernetes.io/serviceaccount/token) && echo "Performing a curl request to the Kubernetes API..." && kubectl exec curl-pod -n $namespace --context=$context -- curl -s -k -H "Authorization: Bearer $TOKEN" $apiserver$resource

# Clean up by deleting the curl-pod
echo "Cleaning up..." && kubectl delete pod curl-pod -n $namespace --context=$context && echo "Done"
Helpful Links