I played around with a few approaches and this seems to be the simplest. You can use this to experiment with the api.
This sets up an ubuntu box with curl pre-installed. It also creates a service account with permissions to see pods and jobs. The auth token created by this service account is stored at /var/run/secrets/kubernetes.io/serviceaccount/token
apiVersion: v1
kind: ServiceAccount
metadata:
name: access-k8s-api
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: access-k8s-api
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get","watch","list"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "delete", "list", "create", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: access-k8s-api
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: access-k8s-api
subjects:
- kind: ServiceAccount
name: access-k8s-api
namespace: default
---
apiVersion: v1
kind: Pod
metadata:
name: ubuntu
spec:
serviceAccountName: access-k8s-api
containers:
- name: ubuntu
image: tutum/curl
command: ["/bin/bash"]
args: ['-c','sleep 60000']
ports:
- containerPort: 80
If you apply this you can exec into the ubuntu box.
kubectl exec -it ubuntu -- /bin/sh
Once you are in you can hit the api
# Set token
TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
# Hit api (Get pods)
curl -sSk -H "Authorization: Bearer $TOKEN" https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/default/pods/$HOSTNAME