Reputation: 695
How to get kubernetes service account access token using fabric8 java client?
I have configured minikube in my local machine and going to use kubernetes externally. I have created a Service Account in kubernetes and using it's secret I can get the access token using below command.
kubectl get secret <service-account-secret> -o yaml -n mynamespace
My question is how can I do this using fabric8 java client in runtime ? What I want is to obtain the access token by giving the secret of the Service account as a parameter.
I am initiating the config as bellow.
Config config = new ConfigBuilder().withMasterUrl(masterURL)
.withClientCertFile(certFile).withOauthToken(serviceAccountAccessToken).build();
Can I know how to get the serviceAccountAccessToken as described above using fabric8 java client ?
Upvotes: 4
Views: 8745
Answers (4)
Reputation: 406
Config config = new ConfigBuilder().withMasterUrl(externalTunnelUrl).withOauthToken(managementTokenProvider.getManagementToken(clusterName)).withUsername("management-token").build();
Just had the same need. OauthToken is maybe not the obvious name, but works.
Note that I do not specify client cert file there.
Upvotes: 0
Reputation: 17
Create a service account with below yaml definition
Step 1: create api-manager.yaml with below content
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: api-manager namespace: default rules:
- apiGroups: ["batch", "extensions"] resources: ["jobs","cronjob"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: udefreadonlybinding namespace: default subjects:
- kind: ServiceAccount name: api-manager namespace: default roleRef: kind: Role name: job-creator apiGroup: rbac.authorization.k8s.io
Step 2: kubectl create -f api-manager.yaml
Step 3: Edit your pod dp file and map the service account Then map this service account to the pod which internally map the service account inside the container ( path :/var/run/secrets/kubernetes.io/serviceaccount/token)
Step 4: In java code io.fabric8.kubernetes.client.DefaultKubernetesClient client = new DefaultKubernetesClient(); System.out.println("client"+client.getNamespace());
Upvotes: 0
Reputation: 580
The client already does that for you.
If you just create an empty Config object:
Config config = new ConfigBuilder().build();
or create the client, like:
KubernetesClient client = new DefaultKubernetesClient();
from within a pod, it will automatically read the token for you.
If you need to pass it elsewhere, you can just:
String token = config.getOauthToken();
or
String token = client.getConfiguration().getOauthToken();
Upvotes: 6
Reputation: 33168
From within a Pod, the service account token is volume-mounted as /var/run/secrets/kubernetes.io/serviceaccount/token as seen here. The fact that the path is hard-coded in (at least v2.6.2 of) the fabric8 Client leads me to believe that perhaps if one merely omits the withOauthToken() call that the Client may Just Work™
It's slightly unclear whether the code snippet you provided is expected to run outside of the cluster, but if so then you have a small chicken-and-egg problem of providing auth to the API so you can acquire the Secret
Upvotes: 1
Related Questions
- Accessing k8s cluster with service account token
- Kubernetes Security: How to check the token of service account?
- Get token from service-account using kubectl describe
- k8s - how to project service account token into pod
- Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring
- Kubernetes kubeconfig with service account token
- Get serviceaccount info according to its corresponding token in kubernetes?
- Openshift: How to obtain token for service account in java
- How to get kubernetes secret data from java
- Kubernetes service account custom token