I am spinning up a new Jupyter notebook instance from Jupiter hub and wish to have Kubernetes API access from inside the spun up container. According to the docs, I added the parameter for service account in my helm values and as expected, I can see the service account token mounted as expected.

subu@jupyter-subu:~$ sudo ls /run/secrets/kubernetes.io/serviceaccount/
ca.crt  namespace  token

When I try to run kubectl however, I get an access denied

subu@jupyter-subu:~$ kubectl get pods
error: open /var/run/secrets/kubernetes.io/serviceaccount/token: permission denied

Fair enough, but run it as sudo and it simply ignores the service account token.

subu@jupyter-subu:~$ sudo kubectl get pods
The connection to the server localhost:8080 was refused - did you specify the right host or port?

If I setup the kubectl config manually with the details of the token, it works totally though, its just the default settings that don't work. Any ideas on why this could be happening would be much appreciated!

CodePudding user response：

In order to make kubectl use the projected token, the environment variables KUBERNETES_SERVICE_PORT and KUBERNETES_SERVICE_HOST must be set in your environment. These are automatically injected upon pod start, but likely only for your user, not for the sudo root user.

Make sure to pass these variables for the root environment (sudo -E kubectl get pods) or make sure the projected token is readable by your user (this should be achievable by setting the KubeSpawner's singleuser_uid to your UID https://github.com/jupyterhub/kubespawner/issues/140).