CODEWITHSUNDEEP
amazon-web-serviceskuberneteskubectlamazon-ekskubernetes-apiserver
user2315104
user2315104

Reputation: 2730

How to call kubernetes API server using curl and certificate authority

I have created EKS cluster using the IAM user. So now the system:creator is my own IAM user. I have configured the aws CLI and kubectl command line tools to use the credentials properly and both the comand line tools , aws and kubectl are working fine.

Now, Im trying to call the API to list the PODs in kube-system namespace using below curl command.

curl -v https://abc.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/pods?limit=500 --header "Authorization: Bearer $TOKEN" --cacert test.crt

TOKEN I have taken from using following command :

TOKEN': TOKEN=$(aws eks get-token --cluster-name test-clus --profile default)

test.crt file contains the base64 format of the certificate authority string provided by the EKS cluster (details page of the EKS cluster)

however, Im getting unauthorized error :

* TLSv1.2 (IN), TLS header, Supplemental data (23):
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
* Connection #0 to host abc.gr7.us-east-1.eks.amazonaws.com left intact
}

environment details :

EKS version : 1.24

aws cli version : aws-cli/2.9.15

kubectl version :

WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.0", GitCommit:"b46a3f887ca979b1a5d14fd39cb1af43e7e5d12d", GitTreeState:"clean", BuildDate:"2022-12-08T19:58:30Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"24+", GitVersion:"v1.24.8-eks-ffeb93d", GitCommit:"abb98ec0631dfe573ec5eae40dc48fd8f2017424", GitTreeState:"clean", BuildDate:"2022-11-29T18:45:03Z", GoVersion:"go1.18.8", Compiler:"gc", Platform:"linux/amd64"}
WARNING: version difference between client (1.26) and server (1.24) exceeds the supported minor version skew of +/-1

not getting , what is the issue. Surprise thing is that , Im the creator of the EKS cluster, still not able to access API .

please suggest

Upvotes: 1

Views: 3345

Answers (1)

David Trigo
David Trigo

Reputation: 11

First of all, you need to decypher the CA certifivate from your config file, you can do it this way.

CLUSTER_ARN="cluster_name"
kubectl config view --raw -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_ARN}\")].cluster.certificate-authority-data}" | base64 --decode > cert.crt

Now you can generate the token, and create a curl request to the API:

CLUSTER_NAME=$(echo $CLUSTER_ARN | cut -d'/' -f2)
AWS_PROFILE=<profile>
AWS_REGION=<region>
TOKEN=$(aws --region ${AWS_REGION} eks get-token --cluster-name ${CLUSTER_NAME} --output json --profile ${AWS_PROFILE} | jq -r '.status.token')

curl https://XXX.gr7.eu-west-1.eks.amazonaws.com --cacert cert.crt -H "Authorization: Bearer $TOKEN"

Regards

Upvotes: 1

Related Questions