Skip to content

Latest commit

 

History

History
51 lines (41 loc) · 2.02 KB

api.md

File metadata and controls

51 lines (41 loc) · 2.02 KB

API

Generate a token

A temporary token can be generated using:

GET /apis/token.kubevirt.io/v1/namespaces/${VMI_NAMESPACE}/virtualmachines/${VMI_NAME}/vnc

Where ${VMI_NAMESPACE} and ${VMI_NAME} are the namespace and name of a running VMI.

Parameters

  • duration - Duration while the token is valid. If it is not specified, then the token will expire after 10 minutes. The minimum duration value is 10 minutes, and there isn't a maximum value. Its format is described in the golang library documentation here:

A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as 300ms, -1.5h or 2h45m. Valid time units are ns, us (or µs), ms, s, m, h.

Result

Result is a JSON object containing the token:

{ "token": "eyJhb..." }

Example

curl --header "Authorization: Bearer ${KUBERNETES_USER_TOKEN}" \
     "https://${K8S_API_URL}/apis/token.kubevirt.io/v1/namespaces/${VMI_NAMESPACE}/virtualmachines/${VMI_NAME}/vnc?duration=${DURATION}"

In this example, we use a bearer token to authenticate the user with the Kubernetes API server. Kubernetes supports two main ways of authentication, token and TLS client certificates. Additional methods can be configured using the authenticating proxy. More information is in the documentation.

If the user is logged in using a token, then the token can be retrieved using:

KUBERNETES_USER_TOKEN=$(oc whoami -t)

Revoking a token

Revoking a single token is not possible. All tokens associated with a VM can be revoked by deleting the ServiceAccount that was created for generating them. It is in the same namespace as the VM, its name is ${VM_NAME}-vnc-access, and it has ownerReference set to the VM.

kubectl delete serviceaccount --namespace "${VM_NAMESPACE}" "${VM_NAME}-vnc-access"