Access Kubernetes API from container within Kubernetes

Question

• I launched a pod on a minikube "cluster":

Yaml:

---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: orchestration

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: orchestration
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: orchestration
roleRef:
  kind: ClusterRole
  name: orchestration
  apiGroup: rbac.authorization.k8s.io
subjects:
  - kind: ServiceAccount
    name: orchestration
    namespace: default

---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: orchestration-master
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: orchestration
    spec:
      serviceAccountName: orchestration
      containers:
        - name: orchestration
          image: joan38/orchestration:latest
          ports:
            - name: ui
              containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
  name: orchestration-ui
spec:
  type: NodePort
  selector:
    app: orchestration
  ports:
    - name: http
      protocol: TCP
      port: 80
      nodePort: 31010
      targetPort: 8080

• Connect on the pod: kubectl exec -ti --namespace default myContainer bash
• Query the API: curl -k https://kubernetes.default.svc.cluster.local/api/v1
• Result in an Unauthorized

Why? How can I auth?

Answer 1

The credentials for the service account are mounted at /var/run/secrets/kubernetes.io/serviceaccount

curl https://kubernetes.default.svc.cluster.local/api/v1 \
  --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
  -H "Authorization: Bearer $(</var/run/secrets/kubernetes.io/serviceaccount/token)"