K
Q

Kubernetes Java API does not use username password supplied

1/11/2018

This is in regards to version 0.2 of the Kubernetes Java client. I'm guessing the way to use basic authentication in the Java API is to do this

ApiClient client = Config.fromUserPassword( "https://....:6443", "user", "password", false );
Configuration.setDefaultApiClient( client );
CoreV1Api api = new CoreV1Api();
// Make api call like
api.listNode(...)

However the above code always returns 403 Forbidden. From the response message, it doesn't look like the user/pass is being used in the request.

{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"nodes is forbidden: User \"system:anonymous\" cannot list nodes at the cluster scope","reason":"Forbidden","details":{"kind":"nodes"},"code":403}

I also debugged through the code a bit and I may be answering my own question but it looks like in CoreV1Api's methods, it never add basic auth as an authentication method and only uses BearerToken. Is basic auth supported or should I be using another API class?

-- BGRT
java
kubernetes

Similar Questions

How to use PersistentVolumeClaim if replicas attribute value is greater than 1?
Kubernetes ingress-nginx preserve source IP
"Bake" Stage Type not showing in Stage Types Dropdown in Spinnaker Pipeline
Mapping ports on Pod level

3 Answers

6/19/2018

The java client ignores the HttpBasicAuth object, but if you use the ApiKeyAuth object and set the key prefix to "Basic" and the API key to the base64 encoded credentials, it will work.

For example:

String credentials= new String(Base64.getEncoder().encode("user:password".getBytes())); ApiClient defaultClient = Configuration.getDefaultApiClient(); defaultClient.setBasePath("https://256.256.256.256"); ApiKeyAuth fakeBearerToken = (ApiKeyAuth) defaultClient.getAuthentication("BearerToken"); fakeBearerToken.setApiKey(credentials); fakeBearerToken.setApiKeyPrefix("Basic");

This works because the kubernetes client will simply concatenate the API key prefix with the prefix, and put the result in the "Authorization" header.

-- Lior Okman
Source: StackOverflow
2/2/2018

Answering my own question but it doesn't look like the current version of the client actually executes the user/pass authentication. BearerToken is working however.

-- BGRT
Source: StackOverflow
1/12/2018

Many kubernetes clusters do not set up basic auth, only bearer token auth. Are you sure your cluster configured basic authentication?

https://kubernetes.io/docs/admin/authentication/#static-password-file

-- Jordan Liggitt
Source: StackOverflow