How to access kubeconfig file inside containers-CodePudding

I have a container where I used a bitnami/kubectl image.
Now I want to run a few kubectl commands inside that container.

How kubectl container aware of my kubeconfig file?
I know that I can mount the local kubeconfig file into containers and use it.

But is there any other way possible to access kubeconfig without using it as a volume mount?

I went throug the documentation of RBAC in Kubernetes.
Does configure role and role-binding alone is enough to run kubectl apply and kubectl delete commands successfully even without mounting kubeconfig file?

It would be really helpful if someone helps me with this.
Thanks in advance!

CodePudding user response：

You can use kubectl without your kubeconfig file. Your pod is launched with a service account. And all kubectl commands will be executed with the service account privileges. So you have to use rbac to grant access rights to that service account first.

CodePudding user response：

Now I want to run a few kubectl commands inside that container.

Why do you need it inside the container?

kubectl is your CLI to "communicate" with the cluster, the commands are passed to the kube-api, parsed, and executed usually by Admission controller.

Not clear why you need to run kubectl commands inside the container.

How to run K8S API in your container?

The appropriate solution is to run an API query inside your container.
Every pod stores internally the Token & ServiceAccount which will allow you to query the API
Use the following script I'm using to query the API https://github.com/nirgeier/KubernetesLabs/blob/master/Labs/21-KubeAPI/api_query.sh

  #!/bin/sh

  #################################
  ## Access the internal K8S API ##
  #################################
  # Point to the internal API server hostname
  API_SERVER_URL=https://kubernetes.default.svc

  # Path to ServiceAccount token
  # The service account is mapped by the K8S API server in the pods
  SERVICE_ACCOUNT_FOLDER=/var/run/secrets/kubernetes.io/serviceaccount

  # Read this Pod's namespace if required
  # NAMESPACE=$(cat ${SERVICE_ACCOUNT_FOLDER}/namespace)

  # Read the ServiceAccount bearer token
  TOKEN=$(cat ${SERVICE_ACCOUNT_FOLDER}/token)

  # Reference the internal certificate authority (CA)
  CACERT=${SERVICE_ACCOUNT_FOLDER}/ca.crt

  # Explore the API with TOKEN and the Certificate
  curl -X GET \
       --cacert ${CACERT} \
       --header "Authorization: Bearer ${TOKEN}" \
       ${API_SERVER_URL}/api