AKS cluster pods kube config location

8/19/2020

I am trying to perform some operations on my AKS cluster using a C# worker service that is using the kubernetes client library. Currently my service is running on a single pod in the cluster. When I try to perform the CreateSecret operation , I get a 403 exception.

I tried getting a bearer token and used that to set the KubeConfig's AccessToken but that also does not work.

I am wondering if there is a way I can access the kubeconfig from my pod (which I guess is only available on the master node?) or is there a different location of config which I can point to?

-- Jim
azure-aks
c#
kubectl
kubernetes

1 Answer

8/19/2020

I would suggest to use service account instead of kubeconfg since you are running the application inside the cluster as pod.

var config = KubernetesClientConfiguration.InClusterConfig()

Above code will use the default service account in the namespace where the pod is deployed. You will get a Forbidden error and to solve that you need to define RBAC to provide authorization to the service account. Below is the Role and RoleBinding assuming you are using default namespace for deploying the pod.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: secret-creator
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: secret-creator
subjects:
- kind: ServiceAccount
  name: default
  namespace: default
-- Arghya Sadhu
Source: StackOverflow