Here’s a simple explainer for how to access secrets a Kubernetes Pod is allowed to access with its default service account.

curl --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt https://kubernetes/api/v1/namespaces/restricted/secrets
  • –header - We set an Authorization header with the token for the service account.
  • –cacert - We also use the ca.crt file provided by the serviceaccount secret
  • kubernetes - The host part of the url is the Kubernetes API service. You could also use the service ClusterIP if DNS isn’t working.
  • restricted/ - This part of the path is the namespace you wish to access
  • secrets/ - This is the object type you want to access

To get a specific secret by name…

curl --header "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt https://kubernetes/api/v1/namespaces/restricted/secrets/mySecret
  • mySecret is the specific name of the secret you wish to access.