Forem: Richard Simpson The latest articles on Forem by Richard Simpson (@richicoder1). https://forem.com/richicoder1 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F163184%2Fc19687cd-8dc1-4c78-8652-fb7cb8d5cad5.jpeg Forem: Richard Simpson https://forem.com/richicoder1 en How we connect to Kubernetes Pods from GitHub Actions Richard Simpson Mon, 06 Apr 2020 18:15:51 +0000 https://forem.com/richicoder1/how-we-connect-to-kubernetes-pods-from-github-actions-1mg https://forem.com/richicoder1/how-we-connect-to-kubernetes-pods-from-github-actions-1mg <p>Ever wanted to connect to some Pod or Service running a Kubernetes cluster, but don't want or can't setup an Ingress or Load Balancer to connect to it? </p> <p>Only want to connect to it for some local workflow like GitHub Actions instead of opening it wider internet using a tool like <a href="https://inlets.dev/">inlets</a>?</p> <p>If you answered yes to both of these questions, then you've got a few options available to you:</p> <ul> <li>Setup a secure VPN within your network. If you're using a hosted service, there's likely a VPN option available. If not, there's a new and growing ecosystem of VPN and VPN-like options that may suit your purposes, enabled by advances like WireGuard. However this option still has a lot of friction and might be overkill.</li> <li>Create something like a <a href="https://en.wikipedia.org/wiki/Jump_server">jump server</a> to access your internal cluster services.</li> <li>Finally, if your Kubernetes API is accessible (which is many managed provider's default), you already have access to a great proxy tool in the form of <code>kubectl port-forward</code>.</li> </ul> <p>This article is all about setting up that third option.</p> <h2> Creating a Service Account </h2> <p>If you're connecting in a non-interactive fashion, through something like a CI/CD workflow, you'll likely need to setup a way for you workflow to authentication with your cluster. A "service account" if you will. Luckily, Kubernetes has the built-in concept of a <code>ServiceAccount</code> that is normally used to identify Pods and other cluster-native entities. These <code>ServiceAccount</code> resources can be used to authenticate external tools too, as I'll show you.</p> <p>Creating a <code>ServiceAccount</code> is pretty simple, but there are a few things you should consider when setting one up. Firstly, are you trying to only access a specific pod? If so, you'll want to create a <code>ServiceAccount</code> in that pod's namespace. Additionally, you'll want to make sure that account only has the permissions necessary to create a port-forward on that pod unless you're planning to use this <code>ServiceAccount</code> for more than just port-forwarding.</p> <p>In this example, we'll say you're trying to access the <code>Pod</code> <code>my-pod</code> on namespace <code>default</code>.</p> <p>First, let's create the <code>ServiceAccount</code> we'll be using:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pod-port-forward</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> </code></pre></div> <p>This one's pretty straight forward. We want to make make a <code>ServiceAccount</code> with the name <code>my-pod-port-forward</code> in the namespace <code>default</code>. Note you can name it whatever you want, but it should descriptive and make it clear what it's used for or with.</p> <p>Next, let's create the <code>Role</code> with the appropriate permissions that we'll use with this <code>ServiceAccount</code>:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pod-port-forward</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">my-pod"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods/portforward"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">my-pod"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">create"</span><span class="pi">]</span> </code></pre></div> <p>There's quite a bit here, so I'll break it down without getting too in the nitty-gritty. If you're interested in a deeper dive, I'd check out the <a href="https://kubernetes.io/docs/reference/access-authn-authz/rbac/">official docs</a>.</p> <p>First, we're creating an RBAC <code>Role</code> with the name <code>my-pod-port-forward</code> in the namespace <code>default</code>. The name can again be anything you like, but it should be descriptive. Then, we're giving this <code>Role</code> three sets of permission:</p> <ol> <li>The ability to access get our specify pod.</li> <li>The ability to create a <code>port-forward</code> for that specific pod.</li> </ol> <p>This is the barest set of permissions necessary to port-forward to a pod.</p> <p><em>Note: If you want to connect to a <code>Service</code> or <code>Deployment</code>, it gets a bit more complicated. I'll add an example of what's necessary at the end of the article.</em></p> <p>Finally, we need to bind our new <code>Role</code> to the <code>ServiceAccount</code>:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">RoleBinding</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pod-port-forward</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">roleRef</span><span class="pi">:</span> <span class="na">apiGroup</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pod-port-forward</span> <span class="na">subjects</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ServiceAccount</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pod-port-forward</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> </code></pre></div> <p>This one should be pretty straight forward and follows the same naming theme as before.</p> <p>With all those applied, you now have a <code>ServiceAccount</code> you can use! But...how do you go from <code>ServiceAccount</code> to <code>kubectl</code>?</p> <h2> Using the Service Account </h2> <p>Whenever you create a service account, it's automatically issued a <code>Secret</code> that's used to authenticate with the cluster's API.</p> <p>You can get the <code>Secret</code> associated with a <code>ServiceAccount</code> by running:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nv">TOKENNAME</span><span class="o">=</span><span class="sb">`</span>kubectl <span class="nt">-n</span> default get serviceaccount/my-pod-port-forward <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.secrets[0].name}'</span><span class="sb">`</span> </code></pre></div> <p>In that <code>Secret</code> is a lot of important information, but the thing we want is the <code>token</code>. To get that, you can run:<br> </p> <div class="highlight"><pre class="highlight shell"><code>kubectl <span class="nt">-n</span> default get secret/<span class="nv">$TOKENNAME</span> <span class="nt">-o</span> <span class="nv">jsonpath</span><span class="o">=</span><span class="s1">'{.data.token}'</span> | <span class="nb">base64</span> <span class="nt">-d</span> </code></pre></div> <p>If you've ever worked with JWTs before, you'll likely recognize this. So how do we use this token? To use it, we need to create a kube config file with the appropriate context and user.</p> <p>Our template:<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">clusters</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">cluster</span><span class="pi">:</span> <span class="na">server</span><span class="pi">:</span> <span class="s">&lt;api-server-url&gt;</span> <span class="na">certificate-authority-data</span><span class="pi">:</span> <span class="s">&lt;api-server-ca-data&gt;</span> <span class="na">name</span><span class="pi">:</span> <span class="s">kubernetes</span> <span class="na">contexts</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">context</span><span class="pi">:</span> <span class="na">cluster</span><span class="pi">:</span> <span class="s">kubernetes</span> <span class="na">user</span><span class="pi">:</span> <span class="s">service-account</span> <span class="na">name</span><span class="pi">:</span> <span class="s">target-cluster</span> <span class="na">current-context</span><span class="pi">:</span> <span class="s">target-cluster</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Config</span> <span class="na">preferences</span><span class="pi">:</span> <span class="pi">{}</span> <span class="na">users</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">service-account</span> <span class="na">user</span><span class="pi">:</span> <span class="na">token</span><span class="pi">:</span> <span class="s">&lt;token&gt;</span> </code></pre></div> <p>You can use your normal means of getting the cluster's API URL and certificate authority, but chances are you're already connected to the cluster you want to target. As such, you can pull these values from your own kube config! For example, to get the various clusters in you config, you can run:<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nb">grep</span> <span class="s1">'\- cluster:'</span> <span class="nt">-A</span> 3 <span class="k">${</span><span class="nv">HOME</span><span class="k">}</span>/.kube/config </code></pre></div> <p>Set those values and replace <code>&lt;token&gt;</code> with the token you got from those previous files, and you've got your self a service account kube config! To use it, let's say you saved it to something like <code>~/.kube/my-pod-port-forward.yaml</code>.</p> <p>The magic command to create the port-forward is:<br> </p> <div class="highlight"><pre class="highlight shell"><code>kubectl port-forward pod/my-pod 80:80 <span class="nt">--kubeconfig</span> ~/.kube/my-pod-port-forward.yaml </code></pre></div> <p>With that, you should get a message like this:<br> </p> <div class="highlight"><pre class="highlight plaintext"><code>Forwarding from 127.0.0.1:80 -&gt; 80 Forwarding from [::1]:80 -&gt; 80 </code></pre></div> <p>And that's it! You're now able to connect to your pod locally!</p> <h2> GitHub Actions (and more) </h2> <p>Now that we've got a service account setup and a kube config made, we can get up and running in Actions! This is pretty simple, but there are a few quirks I'll call out.</p> <p>First, we want to drop our kube config into our action so that we can authenticate <code>kubectl</code>. What I did was base64 encoded the kube config we created before, and then dropped into GitHub Secrets as <code>KubeConfig</code>. We're base64'ing it to make it easier to consume in the action as you'll see.<br> </p> <div class="highlight"><pre class="highlight shell"><code><span class="nb">cat</span> ~/.kube/my-pod-port-forward.yaml | <span class="nb">base64</span> <span class="nt">-w</span> 0 <span class="c"># No wrap so it's all one line</span> </code></pre></div> <p>Now that we have it stored in secret, we can access it from our workflow and use it for kubectl.<br> </p> <div class="highlight"><pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">CI</span> <span class="na">on</span><span class="pi">:</span> <span class="na">push</span><span class="pi">:</span> <span class="na">branches</span><span class="pi">:</span> <span class="pi">[</span> <span class="nv">master</span> <span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">env</span><span class="pi">:</span> <span class="c1"># Here, we're choosing to place it in the workspace folder</span> <span class="c1"># in a folder called `.kube` to keep things organized.</span> <span class="c1"># Note: You could just do KUBECONFIG if you're planning to use</span> <span class="c1"># this for all other `kubectl` actions in this workflow</span> <span class="na">POD_KUBECONFIG</span><span class="pi">:</span> <span class="s1">'</span><span class="s">${{</span><span class="nv"> </span><span class="s">github.workspace</span><span class="nv"> </span><span class="s">}}/.kube/pod-kubeconfig'</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v2</span> <span class="c1"># Here, we're creating the parent directory and writing out our decoded</span> <span class="c1"># kubeconfig to the location we stated above.</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">mkdir -p '${{ github.workspace }}/.kube' \</span> <span class="s">&amp;&amp; echo '${{ secrets.KubeConfig}}' | base64 -d &gt; $POD_KUBECONFIG</span> <span class="c1"># Finally, let's try using it. If you used `KUBECONFIG`, can can remove</span> <span class="c1"># the `--kubeconfig $POD_KUBECONFIG` as kubectl will automatically use it.</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s1">'</span><span class="s">kubectl</span><span class="nv"> </span><span class="s">version</span><span class="nv"> </span><span class="s">--kubeconfig</span><span class="nv"> </span><span class="s">$POD_KUBECONFIG'</span> </code></pre></div> <p>If you drop that in you <code>.github/workflows</code> folder and push it, should see the action run and final step print out both the client <code>kubectl</code> and the target cluster's version information!</p> <p>Now, we need to start the port-forward. Here, we're going to use bash's built-in support for jobs to run the port-forward in the background:<br> </p> <div class="highlight"><pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s1">'</span><span class="s">kubectl</span><span class="nv"> </span><span class="s">port-forward</span><span class="nv"> </span><span class="s">pod/my-pod</span><span class="nv"> </span><span class="s">80:80</span><span class="nv"> </span><span class="s">--kubeconfig</span><span class="nv"> </span><span class="s">$POD_KUBECONFIG</span><span class="nv"> </span><span class="s">&amp;'</span> </code></pre></div> <p>With that, it should be accessible locally! If you want to try it out, you can add a step like this to see it in action:<br> </p> <div class="highlight"><pre class="highlight yaml"><code> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">curl http://localhost:80</span> </code></pre></div> <p>And that's it! Hopefully, this works well for you, and just leave a comment below if you have any questions or run into any issues.</p> <h3> Credits </h3> <ul> <li> <a href="https://twitter.com/alexellisuk?s=20">Alex Ellis</a> who helped give me through the initial idea of connecting to a cluster through port-forwarding and got me thinking about the options enabled by that. (Also the man behind OpenFaaS and Inlets which you should checkout!)</li> <li> <a href="https://dev.to/danielkun">Daniel Albuschat</a> who has an excellent deeper dive into k8s auth and service accounts, including how to re-issue tokens: <div class="ltag__link"> <a href="/danielkun" class="ltag__link__link"> <div class="ltag__link__pic"> <img src="https://res.cloudinary.com/practicaldev/image/fetch/s--xD0jY0GX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://res.cloudinary.com/practicaldev/image/fetch/s--q8TPlmW_--/c_fill%2Cf_auto%2Cfl_progressive%2Ch_150%2Cq_auto%2Cw_150/https://dev-to-uploads.s3.amazonaws.com/uploads/user/profile_image/1438/10500.png" alt="danielkun image"> </div> </a> <a href="/danielkun/kubernetes-certificates-tokens-authentication-and-service-accounts-4fj7" class="ltag__link__link"> <div class="ltag__link__content"> <h2>Kubernetes: Certificates, Tokens, Authentication and Service Accounts</h2> <h3>Daniel Albuschat ・ May 19 '19 ・ 9 min read</h3> <div class="ltag__link__taglist"> <span class="ltag__link__tag">#kubernetes</span> </div> </div> </a> </div> </li> <li>All the Kubernetes Docs contributors and poor, fellow lost souls on Stack Overflow who helped me generally understand many of the concepts in this article.</li> </ul> <h3> Additional Notes </h3> <p>If you want to access a <code>Service</code> or <code>Deployment</code> instead of a specific <code>Pod</code>, you'll need a slightly different <code>Role</code> configuration:</p> <ol> <li>Permissions for a <code>Deployment</code>. </li> </ol> <div class="highlight"><pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pod-port-forward</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">apps/v1"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">deployments"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">&lt;deployment</span><span class="nv"> </span><span class="s">name&gt;"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods/portforward"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">create"</span><span class="pi">]</span> </code></pre></div> <p>This will be the same <code>Role</code> as earlier, but with the addition of <code>get</code> for deployments, and the removal of <code>resourceName</code> from the <code>pods</code> and <code>pods/portforward</code> since you wouldn't know the pod name ahead of time.</p> <ol> <li>Permissions for a <code>Service</code>. </li> </ol> <div class="highlight"><pre class="highlight yaml"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">rbac.authorization.k8s.io/v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">Role</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">my-pod-port-forward</span> <span class="na">namespace</span><span class="pi">:</span> <span class="s">default</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">services"</span><span class="pi">]</span> <span class="na">resourceNames</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">&lt;service</span><span class="nv"> </span><span class="s">name&gt;"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">get"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">list"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">apiGroups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">"</span><span class="pi">]</span> <span class="na">resources</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">pods/portforward"</span><span class="pi">]</span> <span class="na">verbs</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">create"</span><span class="pi">]</span> </code></pre></div> <p>This will be the same <code>Role</code> as earlier, but with the addition of <code>get</code> for services, and the removal of <code>resourceName</code> from the <code>pods</code> and <code>pods/portforward</code> since you wouldn't know the pod name ahead of time.</p> kubernetes github githubactions