# Does the call to TokenReview need a specific role? I thought it was possible to use a token without any role to perform the [TokenReview](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#tokenreview-v1-authentication-k8s-io) call to the Kubernetes API server. But no: for the TokenReview call, the service account associated to the token used to authenticate (i.e., the `Ahtorization: Bearer token` HTTP header) must have the role `system:auth-delegator`. On the other side, the token within the TokenReview doesn't need to have any role attached. First, let us create a token with no role attached: ```shell token=$(kubectl create --raw /api/v1/namespaces/default/serviceaccounts/default/token -f- <<EOF | jq -r '.status.token' { "apiVersion": "authentication.k8s.io/v1", "kind": "TokenRequest", "spec": { "audiences": ["https://kubernetes.default.svc.cluster.local"] } } EOF ) ``` Now, let us use the TokenReview API to check that same token: ```shell curl -sS -X POST $(kubectl config view --minify --flatten -ojson | jq '.clusters[0].cluster.server' -r)/apis/authentication.k8s.io/v1/tokenreviews \ --cacert <( kubectl config view --minify --flatten -ojson | jq '.clusters[0].cluster."certificate-authority-data"' -r | base64 -d) \ -H "Authorization: Bearer $token" \ -H "Content-Type: application/json" \ -d@- <<EOF { "apiVersion": "authentication.k8s.io/v1", "kind": "TokenReview", "spec": { "token": "$token", "audiences": ["https://kubernetes.default.svc.cluster.local"] } } EOF ``` gives: ```yaml { "kind": "Status", "apiVersion": "v1", "metadata": {}, "status": "Failure", "message": "tokenreviews.authentication.k8s.io is forbidden: User \"system:serviceaccount:default:default\" cannot create resource \"tokenreviews\" in API group \"authentication.k8s.io\" at the cluster scope", "reason": "Forbidden", "details": { "group": "authentication.k8s.io", "kind": "tokenreviews" }, "code": 403 } ``` To fix that: ```shell kubectl apply -f- <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tokenreview namespace: default subjects: - kind: ServiceAccount namespace: default name: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:auth-delegator EOF ``` And now it works. ## Testing TokenRequest for PR ```shell kubectl run foo -n cert-manager --image=alpine/k8s:1.22.15 --restart=Never --overrides='{"spec":{"serviceAccountName": "cert-manager"}}' -q --rm -it -- bash # And then, inside the container: kubectl create --raw /api/v1/namespaces/sandbox/serviceaccounts/vault-issuer/token -f- <<EOF | jq -r '.status.token' { "apiVersion": "authentication.k8s.io/v1", "kind": "TokenRequest", "spec": { "audiences": ["https://kubernetes.default.svc.cluster.local"], "expirationSeconds": 600 } } EOF ```
Last changed by  
Maël Valais
60

Read more

Why I care about product thinking

PM = product manager, or product management depending on the context. Also, I promise I'll find real-world hands-on examples soon, at the moment I can't think of one. I want to influence you to think that "product thinking" is a great thing for us engineers. I care about "product thinking" because I have seen in the past that it helped me give purpose. With purpose, I can build something to solve a problem that I agree with. Chisara Nwabara, a PM at Engineering Better, talks about "product thinking" as opposed to "product management", since "product thinking" is a set of skills that will exist throughout teams regardless of your role.The blog posts are What is a Product Thinking Mindset? and Why is Product Thinking important? "Product thinking" has 4 areas, but these four areas are based on data-based influencing: the goal is to influence and convince by presenting data, instead of forcing decisions by means of hierarchy.

3/16/2023
Why can't I get a direct connection with Tailscale?

I have the following configuration: pi > home router > work router > aorus 192.168.1.160 90.89.201.88 92.154.18.143 172.31.4.240 I have set up a port-forwarding rule on my home router: 90.89.201.88:41641/udp -> 192.168.1.160:41641 For some reason, when running tailscale ping aorus from pi, the packets are sent from the port 55886 instead of 41641.

3/9/2023
Fixing the blue screen "0xc000000e A required device isn't connected or can't be accessed"

My parents' Windows 10 PC was showing a blue screen on startup: Your PC needs to be repaired. A required device isn't connected or can't be accessed. Error code: 0xc000000e When pressing F8, the screen would blink and show a slightly different message that said that \Windows\system32\winload.exe was missing. In multiple places on the Internet, people were indicating that it might have something to do with the "BCD". I had two SATA SSD disks:

2/21/2023
Using `timeoutSeconds: 10` instead of 30 seconds since cert-manager 1.12

This change from 30 to 10 seconds happened in https://github.com/cert-manager/cert-manager/pull/3323. Unfortunately, in case of a network issue, lowering to 10 seconds hides useful error messages under the unhelpful context deadline exceeded: Error from server (InternalError): error when creating "STDIN": Internal error occurred: failed calling webhook "webhook.certmanager.k8s.io": Post https://kubernetes.default.svc:443/apis/webhook.certmanager.k8s.io/v1beta1/mutations?timeout=30s: context deadline exceeded By have been setting timeoutSeconds to 10 seconds, the TCP handshake timeout (10 seconds), TLS handshake timeout (30 seconds) and HTTP response headers timeout (10 seconds) never show:

2/18/2023
Read more from Maël Valais
Published on HackMD