Accessing an IKS (IBM Cloud Kubernetes Service) cluster using IBM IAM and IBM Kubernetes Service APIs
- Retrieve IBM Cloud IAM <access_token> and <refresh_token> using the API key
curl -X POST -H "Authorization: Basic Yng6Yng=" -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=urn:ibm:params:oauth:grant-type:apikey&apikey=<APIKey>" "https://iam.cloud.ibm.com/identity/token"
The string "Yng6Yng=" is nothing but base64 encoded "bx" credentials.
Look for <access_token> and <refresh_token> in JSON output as shown below:
{
"access_token":"<access_token>",
"refresh_token":"<refresh_token>",
"ims_user_id":...,
"token_type":"Bearer",
"expires_in":1200,
"expiration":1633975642,
"refresh_token_expiration":1634060845,
"scope":"ibm openid"
}
- Retrieve the <api_server> of the cluster, the <base64_encoded_certificate> and the
curl -X POST -H "Authorization: Bearer <access_token>" -H "X-Auth-Refresh-Token: <refresh_token>" -H "Content-Type: application/json" -d "{\"cluster\": \"<clusterNameOrID>\"}" "https://containers.cloud.ibm.com/global/v2/applyRBACAndGetKubeconfig"
In addition to retrieving the kubeconfig JSON containing the details we need, this API also syncs RBAC (Role-Based Access Control) information from IBM IAM to the cluster as suggested by name of the API.
Look for "server", "certificate-authority-data" and "id-token" fields in JSON output of the API as shown below:
{
"kind": "Config",
"apiVersion": "v1",
"preferences": {},
"clusters": [
{
"name": "...",
"cluster": {
"server": "<api_server>",
"certificate-authority-data": "<base64_encoded_certificate>"
}
}
],
"users": [
{
"name": "...",
"user": {
"auth-provider": {
"name": "oidc",
"config": {
"client-id": "kube",
"client-secret": "kube",
"id-token": "<token>",
"idp-issuer-url": "https://iam.cloud.ibm.com/identity",
"refresh-token": "..."
}
}
}
}
],
"contexts": [
...
],
"current-context": "..."
}
- Perform base64 decoding of the <base64_encoded_certificate> and save it in a temp file e.g. /tmp/ca-iks.pem
- Finally, use the <api_server>, the an the /tmp/ca-iks.pem to the kubectl command or Kubernetes API
kubectl --server "<api_server>" --token "<token>" --certificate-authority "/tmp/ca-iks.pem" get namespaces
OR
curl -H "Authorization: Bearer <token>" --cacert "/tmp/ca-iks.pem" "<api_server>/api/v1/namespaces"
Reference documentation: