Skip to content

Instantly share code, notes, and snippets.

@enriched

enriched/in-pod-kubeconfig.sh

Last active July 6, 2024 10:42
Show Gist options
  • Save enriched/11c7d81aa271b258f835620b1aca2e55 to your computer and use it in GitHub Desktop.
Save enriched/11c7d81aa271b258f835620b1aca2e55 to your computer and use it in GitHub Desktop.
Download ZIP
Create kubeconfig inside pod
Raw
in-pod-kubeconfig.sh
SERVICE_ACCOUNT_DIR="/var/run/secrets/kubernetes.io/serviceaccount"
KUBERNETES_SERVICE_SCHEME=$(case $KUBERNETES_SERVICE_PORT in 80|8080|8081) echo "http";; *) echo "https"; esac)
KUBERNETES_SERVER_URL="$KUBERNETES_SERVICE_SCHEME"://"$KUBERNETES_SERVICE_HOST":"$KUBERNETES_SERVICE_PORT"
KUBERNETES_CLUSTER_CA_FILE="$SERVICE_ACCOUNT_DIR"/ca.crt
KUBERNETES_NAMESPACE=$(cat "$SERVICE_ACCOUNT_DIR"/namespace)
KUBERNETES_USER_TOKEN=$(cat "$SERVICE_ACCOUNT_DIR"/token)
KUBERNETES_CONTEXT="inCluster"
mkdir -p "$HOME"/.kube
cat << EOF > "$HOME"/.kube/config
apiVersion: v1
kind: Config
preferences: {}
current-context: $KUBERNETES_CONTEXT
clusters:
- cluster:
server: $KUBERNETES_SERVER_URL
certificate-authority: $KUBERNETES_CLUSTER_CA_FILE
name: inCluster
users:
- name: podServiceAccount
user:
token: $KUBERNETES_USER_TOKEN
contexts:
- context:
cluster: inCluster
user: podServiceAccount
namespace: $KUBERNETES_NAMESPACE
name: $KUBERNETES_CONTEXT
EOF
@josecastillolema
Copy link

Hi @enriched !
Thanks for sharing.
The script seems to work however every kubectl command returns a certificate error:

sh-5.1# kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v0.21.0-beta.1", GitCommit:"5035cc32ec97e671c86ab4ec744f20208c48a85d", GitTreeState:"clean", BuildDate:"2022-02-16T06:59:30Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"linux/amd64"}
Unable to connect to the server: x509: certificate signed by unknown authority

sh-5.1# grep caFile .kube/config 
    caFile: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

sh-5.1# ls -l /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
lrwxrwxrwx. 1 root root 13 May 24 08:37 /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -> ..data/ca.crt

Is there something missing?

Thanks!

@enriched
Copy link
Author

Hey @josecastillolema it's been a while since I have been using this, but I hope that it is still helpful to you. Based on what you are seeing I would guess that there is a problem with the ca certificates that the pad has in its trusted root? Looking around a bit this stack overflow thread might be a good bet: https://stackoverflow.com/questions/38968414/kubernetes-add-ca-certificate-to-pods-trust-root

@josecastillolema
Copy link

Thanks @enriched !

@zralt
Copy link

zralt commented Feb 16, 2024

Hey @enriched,
Almost works :)
I had the same cert issue that @josecastillolema mentioned, you need to use
certificate-authority: $KUBERNETES_CLUSTER_CA_FILE
in the clusters block instead of "caFile", there's no such field in the API docs now.

@enriched
Copy link
Author

Updated and thanks for the fix @zralt!

@mayooot
Copy link

mayooot commented Jul 3, 2024

thx!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment