Kubernetes - How to acces to service from a web server in pod with a rest request

Question

I'm looking to use Kubernetes DNS to requetes pods from pods. All is in my Kubernetes cluster.

I would like to use a http requeste from a web app to call another web app

For exemple I would like to call ProductWebApp from DashboardWebApp

I found kubernetes rest api

➜ ~ kubectl exec -it dashboard-57f598dd76-54s2x -- /bin/bash

➜ ~ curl -X GET https://4B3449144A41F5488D670E69D41222D.sk1.us-east-1.eks.amazonaws.com/api/v1/namespaces/staging/services/product-app/proxy/api/product/5bf42b2ca5fc050616640dc6 { "kind": "Status", "apiVersion": "v1", "metadata": {

}, "status": "Failure", "message": "services \"product-app\" is forbidden: User \"system:anonymous\" cannot get services/proxy in the namespace \"staging\"", "reason": "Forbidden", "details": { "name": "product-app", "kind": "services" }, "code": 403 }%

I don't understand why it's block

I found also this url
➜ ~ curl -XGET product-app.staging.svc.cluster.local/api/product/5bf42b2ca5fc050616640dc6

But it's also not work

So what is the good way to make a call from a pod to service ?

Answer 1

I also faced the similar issue

Tries above solution for providing the

http://service-name.namespace.svc.cluster.local:port-number

This usually works on reaching from one pod to another , but this fails when there is security applies on the pod which you try to reach .

Here I stuck on the same , So you can create a service account in the pod which you try to reach :

service-account.yaml

apiVersion: v1

kind: ServiceAccount

metadata:

name: {{ template "kafka-schema-registry.fullname" . }}

An write a auth-policy to allow that service account :

auth-policy.yaml

{{- if .Values.auth.enabled -}}

apiVersion: security.istio.io/v1beta1

kind: AuthorizationPolicy

metadata:

name: {{ template "pod-name.fullname" . }}

spec:

selector:

matchLabels:

  app: {{ template "*pod-name*.name" . }}

action: ALLOW

rules:

• from:

  • source:

    principals: ["cluster.local/ns/name-space/sa/pod-name"]

  to:

  • operation:

    methods: ["GET", "POST", "PUT"]

After all the above changes done on above pod which you try to reach from another pods.

the other pods just needs to provide the service account name in the deployment.yaml

example as below :

deployment.yaml

apiVersion: apps/v1

kind: Deployment

metadata:

name: {{ .Values.name }}

namespace: {{ .Values.namespace }}

labels:

app: {{ .Values.name }}

spec:

replicas: {{ .Values.replicaCount }}

selector:

matchLabels:

  app: {{ .Values.name }}

template:

metadata:

  annotations:

    prometheus.io/scrape: "true"

    prometheus.io/path: "/actuator/prometheus"

    prometheus.io/port: {{ .Values.service.port | quote }}

  labels:

    app: {{ .Values.name }}

spec:

  serviceAccountName: {{ *pod-name* }}

Answer 2

For when both ProductWebApp and DashboardWebApp are running on the same Kubernetes cluster:

Define a Service as described here for the app that you want to call (ProductWebApp) using type: ClusterIP service; configure the calling app (DashboardWebApp) with the service name as the URI to call.

For example, assuming ProductWebApp is in a namespace named staging, define a service named product-app for the ProductWebApp deployment and then configure the DashboardWebApp to call ProductWebApp at this URI:

http://product-app.staging.svc.cluster.local/end/point/as/needed

Replace http with https if the ProductWebApp endpoint requires it. Notice that a Service name can be the same as the name of the Deployment for which the service is.

This works when the Kubernetes cluster is running a DNS service (and most clusters do) - see this link and specifically the A records section.