K
Q

Kubernetes get ingress tls.hosts from pods

10/25/2019

Using Kubernetes is there a way from other pods to get the ingress.spec.tls.hosts value without using kubectl (DNS, ENVVAR, OTHER)?

I know I can do:

# in other pod
dig +short my-app.default.svc.cluster.local
172.20.203.19

echo $MY_APP_SERVICE_HOST
172.20.203.19

echo $MY_APP_SERVICE_PORT
3000

Or:

# in other pod
dig +short SRV my-app.default.svc.cluster.local
0 100 3000 my-app.default.svc.cluster.local.

But I actually want to connect to the external load balancer of my-app which has an ingress definition of:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-app-ingress
  annotations:
    kubernetes.io/ingress.class: "traefik"
    kubernetes.io/tls-acme: "true"
spec:
  tls:
  - hosts:
    - myapp.mydomain.com
  rules:
  - host: myapp.mydomain.com
    http:
      paths:
      - path: /
        backend:
          serviceName: my-app
          servicePort: http

So, I want to dynamically get myapp.mydomain.com from pods.

-- Justin
kubernetes
kubernetes-ingress
kubernetes-service

Similar Questions

Whats the best way to compose yaml file for Kubernetes resource?
Scheduling a task under Kubernetes fails
Nginx-Ingress for TCP entrypoint not working
GKE in-cluster DNS resolutions stopped working

2 Answers

10/29/2019

You might consider access Kubernetes API from a separate Pod using particular Service Account, leveraging Bearer token authentication strategy through a specific token propagation inside Pod, identifying target ServiceAccount credentials and permissions according to RBAC rules authorization enforcement; thanks @Rodrigo Loza for his efforts sharing a nice example pointing out about this.

However, if you distinguish RBAC permissions across different service accounts in the same namespace, you might be aware and supply the corresponded credentials for the relevant service account inside the target Pod:

spec:
  serviceAccountName: somename

According to the official K8s documentation:

When you create a pod, if you do not specify a service account, it is automatically assigned the default service account in the same namespace. If you get the raw json or yaml for a pod you have created (for example, kubectl get pods/ -o yaml), you can see the spec.serviceAccountName field has been automatically set.

I would also encourage you to learn more about authentication strategies in the K8s documentation guidelines.

-- mk_sta
Source: StackOverflow
10/26/2019

Use the kubernetes api to get an ingress resource. Create a role, associate it with a service account, then list your ingresses using curl for instance. An example below for the default namespace and service account:

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ingress-clusterrole
  namespace: default
rules:
- apiGroups: ["*"] # "" indicates the core API group
  resources: ["ingresses"]
  verbs: ["*"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ingress-clusterrolebinding
  namespace: default
roleRef:
  name: ingress-clusterrole
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
subjects:
  - name: default
    namespace: default
    kind: ServiceAccount
curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt -H "Authorization: Bearer $(cat /var/run/secrets/kubernet
es.io/serviceaccount/token)" -H "Accept: application/json" -H "Content-Type: application/json" https://kubernetes.default.svc/ap
is/extensions/v1beta1/namespaces/default/ingresses | jq '.items'
-- Rodrigo Loza
Source: StackOverflow