Skip to content

Instantly share code, notes, and snippets.

@stealthybox

stealthybox/README.md

Last active July 15, 2022 01:55
Show Gist options
  • Save stealthybox/4b501b94c51a0421e8e84b6b440ca587 to your computer and use it in GitHub Desktop.
Save stealthybox/4b501b94c51a0421e8e84b6b440ca587 to your computer and use it in GitHub Desktop.
Download ZIP
Does anyone have an example k8s deployment with RBAC permissions to run something like `kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes` ? https://twitter.com/rothgar/status/1544934007397175297
Raw
README.md

This is a tested example.
Not all clusters will have the metrics API, but this will function for ones that do.

The deployment uses the bitnami/kubectl image. It runs "get node metrics" in a shell while loop that sleeps.

The Deployment's Pod-template uses a ServiceAccount that is ClusterRoleBound to a ClusterRole permitting the list and get verbs for the Node kind in the metrics.k8s.io API group.

Here's how to reproduce:

kubectl apply -f https://gist.githubusercontent.com/stealthybox/4b501b94c51a0421e8e84b6b440ca587/raw/52be01a73de42bafa93284e4501d8bbda67ead91/metrics-rbac-deploy.yaml

kubectl -n example get deploy,po
kubectl -n example logs -f deploy/metrics-fetcher

cleanup:

kubectl delete -f https://gist.githubusercontent.com/stealthybox/4b501b94c51a0421e8e84b6b440ca587/raw/52be01a73de42bafa93284e4501d8bbda67ead91/metrics-rbac-deploy.yaml

Note:
kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes and
kubectl get nodes.metrics.k8s.io -o json return the same objects.

However, they output different List types.

Raw
metrics-rbac-deploy.yaml
apiVersion: v1
kind: Namespace
metadata:
name: example
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: metrics-fetcher
namespace: example
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: metrics-fetcher
rules:
- apiGroups:
- metrics.k8s.io
resources:
- nodes
verbs:
- list
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metrics-fetcher
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metrics-fetcher
subjects:
- kind: ServiceAccount
name: metrics-fetcher
namespace: example
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: metrics-fetcher
namespace: example
spec:
selector:
matchLabels:
app: metrics-fetcher
template:
metadata:
labels:
app: metrics-fetcher
spec:
serviceAccountName: metrics-fetcher
containers:
- name: metrics-fetcher
image: bitnami/kubectl
command:
- bash
- -c
- |
while true
do
kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes
echo
echo 'sleeping...'
sleep 10
echo
done
resources:
limits:
memory: "128Mi"
cpu: "500m"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment