1# Authenticating inside the cluster
2
3This example shows you how to configure a client with client-go to authenticate
4to the Kubernetes API from an application running inside the Kubernetes cluster.
5
6client-go uses the [Service Account token][sa] mounted inside the Pod at the
7`/var/run/secrets/kubernetes.io/serviceaccount` path when the
8`rest.InClusterConfig()` is used.
9
10## Running this example
11
12First compile the application for Linux:
13
14 cd in-cluster-client-configuration
15 GOOS=linux go build -o ./app .
16
17Then package it to a docker image using the provided Dockerfile to run it on
18Kubernetes.
19
20If you are running a [Minikube][mk] cluster, you can build this image directly
21on the Docker engine of the Minikube node without pushing it to a registry. To
22build the image on Minikube:
23
24 eval $(minikube docker-env)
25 docker build -t in-cluster .
26
27If you are not using Minikube, you should build this image and push it to a registry
28that your Kubernetes cluster can pull from.
29
30If you have RBAC enabled on your cluster, use the following
31snippet to create role binding which will grant the default service account view
32permissions.
33
34```
35kubectl create clusterrolebinding default-view --clusterrole=view --serviceaccount=default:default
36```
37
38Then, run the image in a Pod with a single instance Deployment:
39
40 kubectl run --rm -i demo --image=in-cluster
41
42 There are 4 pods in the cluster
43 There are 4 pods in the cluster
44 There are 4 pods in the cluster
45 ...
46
47The example now runs on Kubernetes API and successfully queries the number of
48pods in the cluster every 10 seconds.
49
50### Clean up
51
52To stop this example and clean up the pod, press <kbd>Ctrl</kbd>+<kbd>C</kbd> on
53the `kubectl run` command and then run:
54
55 kubectl delete deployment demo
56
57[sa]: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens
58[mk]: https://kubernetes.io/docs/getting-started-guides/minikube/
View as plain text