Kubernetes external API calls — the right way

5c709 1ecs g06obsiswvlwsvu oq

Sometimes you will need to call the Kubernetes API from outside the cluster whether it’s to run a job or to list deployments, or anything else the Kubernetes API provides.

Here, I will walk you through on how to do it with Service Account JWT (JSON Web Token)

First you will need to assume an admin role in cluster (if you are not already)

kubectl create clusterrolebinding cluster-admin-binding \
 -clusterrole cluster-admin \
-user "$(gcloud config get-value account)"

Now let’s create a dedicated kubernetes service account with the relevant permissions:

kubectl create serviceaccount external-svc

And now bind some roles to that service account, in this case we attached batch. Jobs — view, list,create

this will allow the external service to create and watch kubernetes (rbac.yaml file here):

kubectl create -f rbac.yaml

We now need to extract the service account unique name:

export secret=`kubectl get serviceaccount external-svc -o json | jq -Mr ‘.secrets[].name’`

And retrieve the cluster CA certificate and put it in a ca.crt file locally:

kubectl get secrets $secret -o json | jq -Mr ‘.data[“ca.crt”]’ | base64 -D > ca.crt

And retrieve the secret token and save it in an environment variable:

export token=`kubectl get secrets $secret -o json | jq -Mr ‘.data.token’ | base64 -D`

Let’s find the cluster ip:

kubectl cluster-info

Now let’s try to get all jobs with new service account token from our local machine:

curl ‘https://<cluster-ip>/apis/batch/v1/namespaces/default/jobs’ -cacert ca.crt -H “Authorization: Bearer $token”

And create an example job also from outside the cluster:

curl -X POST -H ‘Content-Type: application/yaml’-data-binary


.yaml -cacert ca.crt -H "Authorization: Bearer $token" ‘https://<cluster-ip>/apis/batch/v1/namespaces/default/jobs’

And that’s it, now you can use the token and the ca.crt in a way you would like to call the kubernetes api from outside of the cluster.

This strategy will enable you to have a least privileged service that can only access specific API endpoints, please keep in mind that the token is like password to your cluster and should be kept like any other secret.

There are a few other strategies on to achieve this they are documented here.

The commands and the yaml files are hosted on GitLab.

Want more stories? Check our blog, or follow Eran on Twitter.

Subscribe to updates, news and more.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related blogs