We can use -v or â v flags followed by an integer to check how kubectl is sending HTTP request. For integer value you can use from 0â8, but only 6â8 value is used for HTTP request.
(adsbygoogle = window.adsbygoogle || []).push({});
Verbosity level 6
This level will display all requested resources with HTTP response code and time take to complete each request. For example:
kubectl get pods -v=6
I0927 16:59:16.117531 85026 loader.go:357] Config loaded from file /Users/username/.kube/yala
I0927 16:59:17.090324 85026 round_trippers.go:436] GET https://api-k8s/api 200 OK in 971 milliseconds
I0927 16:59:17.262158 85026 round_trippers.go:436] GET https://api-k8s/apis 200 OK in 170 milliseconds
No resources found.
Verbosity level 7
This level will display HTTP request with headers. For example:
kubectl get pods -v=7
ggg:ghost bkpandey$ 18kubectl get pods -v=7
I0927 17:07:33.435101 85152 loader.go:357] Config loaded from file /Users/bkpandey/.kube/yala
I0927 17:07:33.437478 85152 round_trippers.go:414] GET https://api-k8s/api
I0927 17:07:33.437498 85152 round_trippers.go:421] Request Headers:
I0927 17:07:33.437506 85152 round_trippers.go:424] Accept: application/json, */*
I0927 17:07:33.437512 85152 round_trippers.go:424] User-Agent: 18kubectl/v1.8.11 (darwin/amd64) kubernetes/1df6a83
I0927 17:07:33.437518 85152 round_trippers.go:424] Authorization: Basic YWRtaW46cGVtbjRVd0d0b0loNGY5TzRocE9sY0tiVWZGaF=
I0927 17:07:34.119013 85152 round_trippers.go:439] Response Status: 200 OK in 681 milliseconds
Verbosity level 8
This level will display HTTP request with contents. For example:
kubectl get pods -v=8
ggg:ghost bkpandey$ 18kubectl get pods -v=8
I0927 17:09:52.315477 85237 loader.go:357] Config loaded from file /Users/bkpandey/.kube/yala
I0927 17:09:52.317166 85237 round_trippers.go:414] GET https://api-k8s/api
I0927 17:09:52.317177 85237 round_trippers.go:421] Request Headers:
I0927 17:09:52.317181 85237 round_trippers.go:424] Authorization: Basic YWRtaW46cGVtbjRVd0d0b0loNGY5TzRocE9sY0tiVWZGaFg=
I0927 17:09:52.317185 85237 round_trippers.go:424] Accept: application/json, */*
I0927 17:09:52.317189 85237 round_trippers.go:424] User-Agent: 18kubectl/v1.8.11 (darwin/amd64) kubernetes/1df6a83
I0927 17:09:53.194604 85237 round_trippers.go:439] Response Status: 200 OK in 877 milliseconds
I0927 17:09:53.194626 85237 round_trippers.go:442] Response Headers:
I0927 17:09:53.194646 85237 round_trippers.go:445] Content-Type: application/json
I0927 17:09:53.194659 85237 round_trippers.go:445] Content-Length: 132
I0927 17:09:53.194662 85237 round_trippers.go:445] Date: Thu, 27 Sep 2018 23:09:53 GMT
I0927 17:09:53.195738 85237 request.go:836] Response Body: {âkindâ:âAPIVersionsâ,âversionsâ:[âv1â],âserverAddressByClientCIDRsâ:[{âclientCIDRâ:â0.0.0.0/0",âserverAddressâ:â54.21.21.10"}]}
I0927 17:09:53.196596 85237 round_trippers.go:414] GET https://api-k8s/apis
I0927 17:09:53.196608 85237 round_trippers.go:421] Request Headers:
I0927 17:09:53.196613 85237 round_trippers.go:424] Accept: application/json, */*
I0927 17:09:53.196617 85237 round_trippers.go:424] User-Agent: 18kubectl/v1.8.11 (darwin/amd64) kubernetes/1df6a83
I0927 17:09:53.196621 85237 round_trippers.go:424] Authorization: Basic YWRtaW46cGVtbjRVd0d0b0loNGY5TzRocE9sY0tiVWZGaFg=
I0927 17:09:53.340432 85237 round_trippers.go:439] Response Status: 200 OK in 143 milliseconds
I0927 17:09:53.340454 85237 round_trippers.go:442] Response Headers:
I0927 17:09:53.340459 85237 round_trippers.go:445] Content-Type: application/json
I0927 17:09:53.340463 85237 round_trippers.go:445] Content-Length: 3268
I0927 17:09:53.340466 85237 round_trippers.go:445] Date: Thu, 27 Sep 2018 23:09:53 GMT
I0927 17:09:53.341608 85237 request.go:836] Response Body: {âkindâ:âAPIGroupListâ,âapiVersionâ:âv1",âgroupsâ:[{ânameâ:âapiregistration.k8s.ioâ,âversionsâ:[{âgroupVersionâ:âapiregistration.k8s.io/v1beta1",âversionâ:âv1beta1"}],âpreferredVersionâ:{âgroupVersionâ:âapiregistration.k8s.io/v1beta1",âversionâ:âv1beta1"},âserverAddressByClientCIDRsâ:null},{ânameâ:âextensionsâ,âversionsâ:[{âgroupVersionâ:âextensions/v1beta1",âversionâ:âv1beta1"}],âpreferredVersionâ:{âgroupVersionâ:âextensions/v1beta1",âversionâ:âv1beta1"},âserverAddressByClientCIDRsâ:null},{ânameâ:âappsâ,âversionsâ:[{âgroupVersionâ:âapps/v1beta1",âversionâ:âv1beta1"},{âgroupVersionâ:âapps/v1beta2",âversionâ:âv1beta2"}],âpreferredVersionâ:{âgroupVersionâ:âapps/v1beta1",âversionâ:âv1beta1"},âserverAddressByClientCIDRsâ:null},{ânameâ:âauthentication.k8s.ioâ,âversionsâ:[{âgroupVersionâ:âauthentication.k8s.io/v1",âversionâ:âv1"},{âgroupVersionâ:âauthentication.k8s.io/v1beta1",âversionâ:âv1beta1"}],âpreferredVersionâ:{âgroupVersionâ:âauthentication.k8s.io/v1",âversionâ:âv1"},âserverAddressByClientCIDRsâ:null},{ânameâ:âauthorization.k8s.ioâ,âversionsâ:[{âgroupVersionâ:âauthorization.k8s.io/v1",âversionâ:âv1"},{âgroupVersionâ:âauthorization.k8s.io/v1beta1",âversionâ:âv1beta1"}],âpreferredVersionâ:{âgroupVersionâ:âauthorization.k8s.io/v1",âversionâ:âv1"},âserverAddressByClientCIDRsâ:null},{ânameâ:âautoscalingâ,âversionsâ:[{âgroupVersionâ:âautoscaling/v1",âversionâ:âv1"},{âgroupVersionâ:âautoscaling/v2beta1",âversionâ:âv2beta1"}],âpreferredVersionâ:{âgroupVersionâ:âautoscaling/v1",âversionâ:âv1"},âserverAddressByClientCIDRsâ:null},{ânameâ:âbatchâ,âversionsâ:[{âgroupVersionâ:âbatch/v1",âversionâ:âv1"},{âgroupVersionâ:âbatch/v1beta1",âversionâ:âv1beta1"}],âpreferredVersionâ:{âgroupVersionâ:âbatch/v1",âversionâ:âv1"},âserverAddressByClientCIDRsâ:null},{ânameâ:âcertificates.k8s.ioâ,âversionsâ:[{âgroupVersionâ:âcertificates.k8s.io/v1beta1",âversionâ:âv1beta1"}],âpreferredVersionâ:{âgroupVersionâ:âcertificates.k8s.io/v1beta1",âversionâ:âv1beta1"},âserverAddressByClientCIDRsâ:null},{ânameâ:ânetworking.k8s.ioâ,âversionsâ:[{âgroupVersionâ:ânetworking.k8s.io/v1",âversionâ:âv1"}],âpreferredVersionâ:{âgroupVersionâ:ânetworking.k8s.io/v1",âversionâ:âv1"},âserverAddressByClientCIDRsâ:null},{ânameâ:âpolicyâ,âversionsâ:[{âgroupVersionâ:âpolicy/v1beta1",âversionâ:âv1beta1"}],âpreferredVersionâ:{âgroupVersionâ:âpolicy/v1beta1",âversionâ:âv1beta1"},âserverAddressByClientCIDRsâ:null},{ânameâ:ârbac.authorization.k8s.ioâ,âversionsâ:[{âgroupVersionâ:ârbac.authorization.k8s.io/v1",âversionâ:âv1"},{âgroupVersionâ:ârbac.authorization.k8s.io/v1beta1",âversionâ:âv1beta1"},{âgroupVersionâ:ârbac.authorization.k8s.io/v1alpha1",âversionâ:âv1alpha1"}],âpreferredVersionâ:{âgroupVersionâ:ârbac.authorization.k8s.io/v1",âversionâ:âv1"},âserverAddressByClientCIDRsâ:null},{ânameâ:âstorage.k8s.ioâ,âversionsâ:[{âgroupVersionâ:âstorage.k8s.io/v1",âversionâ:âv1"},{âgroupVersionâ:âstorage.k8s.io/v1beta1",âversionâ:âv1beta1"}],âpreferredVersionâ:{âgroupVersionâ:âstorage.k8s.io/v1",âversionâ:âv1"},âserverAddressByClientCIDRsâ:null},{ânameâ:âapiextensions.k8s.ioâ,âversionsâ:[{âgroupVersionâ:âapiextensions.k8s.io/v1beta1",âversionâ:âv1beta1"}],âpreferredVersionâ:{âgroupVersionâ:âapiextensions.k8s.io/v1beta1",âversionâ:âv1beta1"},âserverAddressByClientCIDRsâ:null}]}
(adsbygoogle = window.adsbygoogle || []).push({});
Figuring out RBAC rule
We can actually use verbosity level to figure out all the RBAC rules kubectl would required to access particular resources. For example, lets say you are running following kubectl command:
kubectl get node
and to figure out which RBAC rules are needed for this, You can run:
kubectl -v=8 get node 2>&1 | grep âGET\|POST\|DELETE\|PATCH\|PUTâ
This will list all the API requests the code is making.
I0928 10:12:29.122226 86839 round_trippers.go:383] GET https://api-k8s/api?timeout=32s
I0928 10:12:31.291086 86839 round_trippers.go:383] GET https://api-k8s/apis?timeout=32s
I0928 10:12:31.444976 86839 round_trippers.go:383] GET https://api-k8s/apis/rbac.authorization.k8s.io/v1alpha1?timeout=32s
I0928 10:12:31.445057 86839 round_trippers.go:383] GET https://api-k8s/apis/policy/v1beta1?timeout=32s
I0928 10:12:31.445073 86839 round_trippers.go:383] GET https://api-k8s/apis/authentication.k8s.io/v1?timeout=32s
I0928 10:12:31.445194 86839 round_trippers.go:383] GET https://api-k8s/apis/apps/v1beta2?timeout=32s
I0928 10:12:31.445251 86839 round_trippers.go:383] GET https://api-k8s/apis/rbac.authorization.k8s.io/v1beta1?timeout=32s
I0928 10:12:31.445304 86839 round_trippers.go:383] GET https://api-k8s/apis/storage.k8s.io/v1?timeout=32s
I0928 10:12:31.445345 86839 round_trippers.go:383] GET https://api-k8s/apis/authorization.k8s.io/v1?timeout=32s
I0928 10:12:31.445535 86839 round_trippers.go:383] GET https://api-k8s/apis/batch/v1beta1?timeout=32s
I0928 10:12:31.444975 86839 round_trippers.go:383] GET https://api-k8s/apis/apiextensions.k8s.io/v1beta1?timeout=32s
I0928 10:12:31.445086 86839 round_trippers.go:383] GET https://api-k8s/apis/storage.k8s.io/v1beta1?timeout=32s
I0928 10:12:31.446762 86839 round_trippers.go:383] GET https://api-k8s/apis/autoscaling/v1?timeout=32s
I0928 10:12:31.446965 86839 round_trippers.go:383] GET https://api-k8s/api/v1?timeout=32s
I0928 10:12:31.447051 86839 round_trippers.go:383] GET https://api-k8s/apis/certificates.k8s.io/v1beta1?timeout=32s
I0928 10:12:31.447386 86839 round_trippers.go:383] GET https://api-k8s/apis/rbac.authorization.k8s.io/v1?timeout=32s
I0928 10:12:31.444976 86839 round_trippers.go:383] GET https://api-k8s/apis/autoscaling/v2beta1?timeout=32s
I0928 10:12:31.447785 86839 round_trippers.go:383] GET https://api-k8s/apis/batch/v1?timeout=32s
I0928 10:12:31.448087 86839 round_trippers.go:383] GET https://api-k8s/apis/authorization.k8s.io/v1beta1?timeout=32s
I0928 10:12:31.448458 86839 round_trippers.go:383] GET https://api-k8s/apis/extensions/v1beta1?timeout=32s
I0928 10:12:31.448710 86839 round_trippers.go:383] GET https://api-k8s/apis/networking.k8s.io/v1?timeout=32s
I0928 10:12:31.449004 86839 round_trippers.go:383] GET https://api-k8s/apis/apps/v1beta1?timeout=32s
I0928 10:12:31.445173 86839 round_trippers.go:383] GET https://api-k8s/apis/authentication.k8s.io/v1beta1?timeout=32s
I0928 10:12:31.449757 86839 round_trippers.go:383] GET https://api-k8s/apis/apiregistration.k8s.io/v1beta1?timeout=32s
I0928 10:12:31.819105 86839 round_trippers.go:383] GET https://api-k8s/api/v1/nodes?limit=500
If you noticed kubectl caches API auto-discovery in ~/.kube/cache folder, you may need to delete this folder to get the full API request list. You can run rm -rf ~/.kube/cache to clear this folder.
(adsbygoogle = window.adsbygoogle || []).push({});
Based on above output its trying to hit lots of api endpoints. Ideally we should able to list individual apiGroups in our Cluster Role policy. But somehow I keep getting permission denied issue when its trying to hit /v1/nodes. Because of that in following rule I am saying apiGroups as â*â and restricting resources to only ânodesâ.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: kubectl-get-nodes
rules:
- apiGroups:
- '*'
resources:
- 'nodes'
verbs:
- 'get'
- 'list'
Now we can use this cluster role in one of the service account and create kubeconfig file based on service account.
(adsbygoogle = window.adsbygoogle || []).push({});
To create Service account
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: kubectl
name: kubectl-get-nodes
namespace: default
To create Cluster Role Binding
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: kubectl-get-nodes-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubectl-get-nodes
subjects:
- kind: ServiceAccount
name: kubectl-get-nodes
namespace: default
Finally we can execute following bash script to generate kubeconfig file:
#!/usr/bin/env bash
# Service account created using above manifest file
serviceaccount=kubectl-get-nodes
namespace=default
# Get related Secrets for this Service Account
secret=$(kubectl get sa $serviceaccount -n $namespace -o json | jq -r .secrets[].name)
# Get ca.crt from secret (using OSX base64 with -D flag for decode)
kubectl get secret $secret -n $namespace -o json | jq -r â.data[âca.crtâ]â | base64 -D > ca.crt
# Get service account token from secret
user_token=$(kubectl get secret $secret -n $namespace -o json | jq -r â.data[âtokenâ]â | base64 -D)
# Get information from your kubectl config, this will use current context. Your kubeconfig file may have multiple context.
context=`kubectl config current-context`
# get cluster name of context
name=`kubectl config get-contexts $context | awk â{print $3}â | tail -n 1`
# get endpoint of current context
endpoint=`kubectl config view -o jsonpath=â{.clusters[?(@.name == \â$name\â)].cluster.server}â`
# Set cluster (run in directory where ca.crt is stored)
kubectl config set-cluster $serviceaccount-$context \
â embed-certs=true \
â server=$endpoint \
â certificate-authority=./ca.crt
# Set user credentials
kubectl config set-credentials $serviceaccount-$context â token=$user_token
# Define the combination of user with the cluster
kubectl config set-context $serviceaccount-$context \
â cluster=$serviceaccount-$context \
â user=$serviceaccount-$context \
â namespace=$namespace
When you list cluster-context you will see new entry in your config file. I am seeing following
kubectl config get-contexts
CURRENT NAME CLUSTER AUTHINFO NAMESPACE
api-k8s api-k8s api-k8s
* kubectl-get-nodes-api-k8s kubectl-get-nodes-api-k8s kubectl-get-nodes-api-k8s default
Validation
Switch the context using kubectl use context kubectl-get-nodes-api-k8s and try accessing nodes resources using kubectl get nodes. You can access node resource.
kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-172â31â41â106.us-west-2.compute.internal Ready node 74d v1.15.11
ip-172â31â47â109.us-west-2.compute.internal Ready node 75d v1.15.11
ip-172â31â47â20.us-west-2.compute.internal Ready master 75d v1.15.11
Now try accessing other resources, you will see access denied.
kubectl get pods
Error from server (Forbidden): pods is forbidden: User âsystem:serviceaccount:default:kubectl-get-nodesâ ca
Top comments (0)