Skip to content

Instantly share code, notes, and snippets.

@amitpj
Last active October 27, 2021 02:23
Show Gist options
  • Save amitpj/7d5e1b3c7baacbfff638850f7d8a86ec to your computer and use it in GitHub Desktop.
Save amitpj/7d5e1b3c7baacbfff638850f7d8a86ec to your computer and use it in GitHub Desktop.
An API-based pattern for accessing an IBM Cloud Kubernetes Service (IKS) cluster

Accessing an IKS (IBM Cloud Kubernetes Service) cluster using IBM IAM and IBM Kubernetes Service APIs

  1. Retrieve IBM Cloud IAM <access_token> and <refresh_token> using the API key
curl -X POST -H "Authorization: Basic Yng6Yng=" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=urn:ibm:params:oauth:grant-type:apikey&apikey=<APIKey>" "https://iam.cloud.ibm.com/identity/token"

The string "Yng6Yng=" is nothing but base64 encoded "bx" credentials.

Look for <access_token> and <refresh_token> in JSON output as shown below:

{
   "access_token":"<access_token>",
   "refresh_token":"<refresh_token>",
   "ims_user_id":...,
   "token_type":"Bearer",
   "expires_in":1200,
   "expiration":1633975642,
   "refresh_token_expiration":1634060845,
   "scope":"ibm openid"
}
  1. Retrieve the <api_server> of the cluster, the <base64_encoded_certificate> and the
curl -X POST -H "Authorization: Bearer <access_token>" -H "X-Auth-Refresh-Token: <refresh_token>" -H "Content-Type: application/json" -d "{\"cluster\": \"<clusterNameOrID>\"}" "https://containers.cloud.ibm.com/global/v2/applyRBACAndGetKubeconfig"

In addition to retrieving the kubeconfig JSON containing the details we need, this API also syncs RBAC (Role-Based Access Control) information from IBM IAM to the cluster as suggested by name of the API.

Look for "server", "certificate-authority-data" and "id-token" fields in JSON output of the API as shown below:

{
  "kind": "Config",
  "apiVersion": "v1",
  "preferences": {},
  "clusters": [
    {
      "name": "...",
      "cluster": {
        "server": "<api_server>",
        "certificate-authority-data": "<base64_encoded_certificate>"
      }
    }
  ],
  "users": [
    {
      "name": "...",
      "user": {
        "auth-provider": {
          "name": "oidc",
          "config": {
            "client-id": "kube",
            "client-secret": "kube",
            "id-token": "<token>",
            "idp-issuer-url": "https://iam.cloud.ibm.com/identity",
            "refresh-token": "..."
          }
        }
      }
    }
  ],
  "contexts": [
    ...
  ],
  "current-context": "..."
}
  1. Perform base64 decoding of the <base64_encoded_certificate> and save it in a temp file e.g. /tmp/ca-iks.pem
  2. Finally, use the <api_server>, the an the /tmp/ca-iks.pem to the kubectl command or Kubernetes API
kubectl --server "<api_server>" --token "<token>" --certificate-authority "/tmp/ca-iks.pem" get namespaces

OR

curl -H "Authorization: Bearer <token>" --cacert "/tmp/ca-iks.pem" "<api_server>/api/v1/namespaces"

Reference documentation:

https://containers.cloud.ibm.com/global/swagger-global-api/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment