Enable REST APIs for GKE deployment, service and others

1
votes

I am trying to deploy applications on GKE using REST APIs. However, the GKE documentation is all mixed up and unclear as to how to enable the Kubernetes REST API access.

Does anyone here have a clear idea about how to create a Deployment on Kubernetes cluster on Google Cloud? If yes, I would love to know the detailed steps for enabling the same. Currently, this is what I get.

https://xx.xx.xx.xx/apis/apps/v1/namespaces/default/deployments/nginx-1 GET call gives below JSON output despite valid authorization token

{
    "kind": "Status",
    "apiVersion": "v1",
    "metadata": {},
    "status": "Failure",
    "message": "deployments.apps \"nginx-1\" is forbidden: User \"system:serviceaccount:default:default\" cannot get resource \"deployments\" in API group \"apps\" in the namespace \"default\"",
    "reason": "Forbidden",
    "details": {
        "name": "nginx-1",
        "group": "apps",
        "kind": "deployments"
    },
    "code": 403
}

Administration APIs however seems to be enabled:

Following the instructions at this link and executing the below commands:

# Check all possible clusters, as your .KUBECONFIG may have multiple contexts:
kubectl config view -o jsonpath='{"Cluster name\tServer\n"}{range .clusters[*]}{.name}{"\t"}{.cluster.server}{"\n"}{end}'

# Select name of cluster you want to interact with from above output:
export CLUSTER_NAME="some_server_name"

# Point to the API server referring the cluster name
APISERVER=$(kubectl config view -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")

# Gets the token value
TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.token}"|base64 --decode)

# Explore the API with TOKEN
curl -X GET $APISERVER/api --header "Authorization: Bearer $TOKEN" --insecure

gives the desired output.

1
kubernetesgoogle-cloud-platformgoogle-kubernetes-enginekubernetes-apiserver
You get very clear message that precisely explains why you get 403 - Forbidden. In fact, you just need to google the phrase: "serviceaccount:default:default cannot get resource deployments in API group apps in the namespace default" and you would get a lot of the results, explaining why it happens an how to solve it, including this onemario

1 Answers

0
votes

The service account default in default namespace does not have RBAC to perform get verb on deployment resource in default namespace.

Use below role and rolebinding to provide the necessary permission to the service account.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: deployment-reader
rules:
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "watch", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-deployment
  namespace: default
subjects:
# You can specify more than one "subject"
- kind: ServiceAccount
  name: default # "name" is case sensitive
  namespace: default
roleRef:
  # "roleRef" specifies the binding to a Role / ClusterRole
  kind: Role #this must be Role or ClusterRole
  name: deployment-reader # this must match the name of the Role or ClusterRole you wish to bind to
  apiGroup: rbac.authorization.k8s.io

To verify the permission

kubectl auth can-i get deployments --as=system:serviceaccount:default:default -n default
yes