I am trying to perform some operations on my AKS cluster using a C# worker service that is using the kubernetes client library. Currently my service is running on a single pod in the cluster. When I try to perform the CreateSecret
operation , I get a 403 exception.
I tried getting a bearer token and used that to set the KubeConfig's AccessToken but that also does not work.
I am wondering if there is a way I can access the kubeconfig from my pod (which I guess is only available on the master node?) or is there a different location of config which I can point to?
I would suggest to use service account instead of kubeconfg
since you are running the application inside the cluster as pod.
var config = KubernetesClientConfiguration.InClusterConfig()
Above code will use the default
service account in the namespace where the pod is deployed. You will get a Forbidden
error and to solve that you need to define RBAC to provide authorization to the service account. Below is the Role
and RoleBinding
assuming you are using default
namespace for deploying the pod.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: secret-creator
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: secret-creator
subjects:
- kind: ServiceAccount
name: default
namespace: default