Expose TokenRequest API for External Clients¶
Clients that are external to the Kubernetes cluster (e.g., a bot or a user's laptop) can access the cluster using Kubernetes Service Accounts as their identity. They store a long-lived token in their environment and use it to create time and audience bound tokens, to securely access the APIs exposed through the Istio Gateway (e.g., Rok, Kubeflow, etc.).
See also
In this guide you will allow external clients to issue short-lived tokens by exposing the TokenRequest API of the Kubernetes API server.
Overview
What You'll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing Kubernetes cluster.
- A working NGINX Ingress Controller deployment.
Procedure¶
Edit
rok/kubernetes-proxy/overlays/deploy/patches/ingress_host.json
and specify your subdomain in field value:[ { "op": "replace", "path": "/spec/rules/0/host", "value": "arrikto-cluster.apps.example.com" } ]
Commit your changes:
root@rok-tools:~/ops/deployments# git commit -am "Expose Kubernetes TokenRequest API under /kubernetes"
Apply the kustomization:
root@rok-tools:~/ops/deployments# rok-deploy --apply rok/kubernetes-proxy/overlays/deploy
Important
This will only expose the TokenRequest API, not the whole Kubernetes API.
Verify¶
Verify that you can access the TokenRequest API under:
https:://<YOUR_SUBDOMAIN>/kubernetes/api/v1/namespaces/default/serviceaccounts/default/token
Replace
<YOUR_SUBDOMAIN>
with your subdomain. For example:user@workstation:~$ curl https://arrikto-cluster.apps.example.com/kubernetes/api/v1/namespaces/default/serviceaccounts/default/token { "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "serviceaccounts \"default\" is forbidden: User \"system:anonymous\" cannot get resource \"serviceaccounts/token\" in API group \"\" in the namespace \"kdefault\"", "reason": "Forbidden", "details": { "name": "default", "kind": "serviceaccounts" }, "code": 403 }
What's Next¶
Check out the rest of the maintenance operations that you can perform on your cluster.