Ugly Command Party - Day 7
Shea Stewart
Technologist working in Platform & Customer Engineering Capacities @ RunWhen
On the 7th of the ugly command party, the command I'll share is:
Ugly Command Name: Test Service Account Access to Kubernetes API Server
What does it do?
It deploys a curl pod into the specified namespace and tests that it can connect properly to the #kubernetes API sever with the mounted service account token. If provided with a specific service account or Kube API resource endpoint, it can also validate that access.
When would you use it?
Sometimes we need to know that a service account can properly reach the Kube API endpoint or that it has the necessary permissions to interact with it (such as listing or watching pods and so on). Often we see this when deploying a controller operator that monitors Kubernetes resources and takes actions on specific events, such as a database operator or a GitOps controller like FluxCD or ArgoCD.
What is the command?
Please view the GitHub Gist below to find the code snippet. Due to a limitation with LinkedIn, it does not accept some code in the code snippet and breaks the Article feature :-/
领英推荐
What is some sample output?
# Using a default service account that *should not* have permissions
# but can reach the endpoint
pod/curl-pod created
Waiting for the curl-pod to be running...
pod/curl-pod condition met
Performing a curl request to the Kubernetes API...
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "forbidden: User \\"system:serviceaccount:online-boutique:default\\" cannot get path \\"/\\"",
"reason": "Forbidden",
"details": {},
"code": 403
}Cleaning up...
pod "curl-pod" deleted
Done
# Using the argocd-application-controller service account which *should*
# have permissions on the Kubernetes API server
pod/curl-pod created
Waiting for the curl-pod to be running...
pod/curl-pod condition met
Performing a curl request to the Kubernetes API...
{
"paths": [
"/.well-known/openid-configuration",
"/api",
"/api/v1",
"/apis",
"/apis/",
... [you get the gist]
}
Cleaning up...
pod "curl-pod" deleted
Done
What does it need?
If you want this command tailored for your environment and ready to copy & paste, this command has been added to the open source library of commands available through RunWhen Local. Check it out here: https://docs.runwhen.com/public/runwhen-local/getting-started/running-locally
Find an example of the command here: https://runwhen-local.sandbox.runwhen.com/online-boutique/online-boutique-Service-Account-Check/
Have an ugly command to share? Collaborate with us on GitHub with issues or discussions
This is part of a series.?Check out?this article?to see additional ugly commands posted in the series.