Unauthorized response when using service account bearer token

6/12/2019
from __future__ import print_function
import kubernetes
import time
import kubernetes.client
from kubernetes.client.rest import ApiException
from pprint import pprint

def create():
    print ("begin");

    configuration = kubernetes.client.Configuration()
    configuration.host="https://192.168.39.240:8443"
    # configuration.username = "cloud-function-job-create";
    configuration.verify_ssl=False
    configuration.api_key['authorization'] = "Bearer " + 'ZXlKaGJHY2lPaUpTVXpJMU5pSXNJbXRwWkNJNklpSjkuZXlKcGMzTWlPaUpyZFdKbGNtNWxkR1Z6TDNObGNuWnBZMlZoWTJOdmRXNTBJaXdpYTNWaVpYSnVaWFJsY3k1cGJ5OXpaWEoyYVdObFlXTmpiM1Z1ZEM5dVlXMWxjM0JoWTJVaU9pSnJkV0psTFhONWMzUmxiU0lzSW10MVltVnlibVYwWlhNdWFXOHZjMlZ5ZG1salpXRmpZMjkxYm5RdmMyVmpjbVYwTG01aGJXVWlPaUpqYkc5MVpDMW1kVzVqZEdsdmJpMXFiMkl0WTNKbFlYUmxMWFJ2YTJWdUxYUmtkbU5ySWl3aWEzVmlaWEp1WlhSbGN5NXBieTl6WlhKMmFXTmxZV05qYjNWdWRDOXpaWEoyYVdObExXRmpZMjkxYm5RdWJtRnRaU0k2SW1Oc2IzVmtMV1oxYm1OMGFXOXVMV3B2WWkxamNtVmhkR1VpTENKcmRXSmxjbTVsZEdWekxtbHZMM05sY25acFkyVmhZMk52ZFc1MEwzTmxjblpwWTJVdFlXTmpiM1Z1ZEM1MWFXUWlPaUpoT1dOaVkyUmxNQzA0WkRVM0xURXhaVGt0T0RGa01TMWxZMk0wT1daak5UTXlZV0lpTENKemRXSWlPaUp6ZVhOMFpXMDZjMlZ5ZG1salpXRmpZMjkxYm5RNmEzVmlaUzF6ZVhOMFpXMDZZMnh2ZFdRdFpuVnVZM1JwYjI0dGFtOWlMV055WldGMFpTSjkualM5MUFvS1FIOUhSamxMUEliN0otT2FUZUJlRkNxWnQzb21WYm1pLVlROENBWnA2UnNxTmVnSjlkUHhPTDEweXpCa2NCR0JSUm9rd2JaSnVsRDRNOC1yVHpUTGdfZUwzWExBYUlpbU1xMFJHQW13Qy1TQmZlNTJ2UDdOVW54MGI1WEx4QXJhVEtIeGhvbE5fLVl0WVBOOUVGM3NIeHFyTFdGQUFmX3dDQl9SSnhDeTdmVzZzMVZfRVFQekNiWmhHa0hoRUpzbGx2Um5XYmVnVkp5a1NhSFRnS2dDV0V2U19KYWprcDU3bEZMdFdISVQzMlBMbmdRUDM2UENwa3I3QWNFQ2FGRjVMbUNLRDRIUWIydTdfendWZ1BDcXpnT05PQ0ZMd2JzUFY0emVLYTR0d0hfNk9DZFAxam5CMlF5V3lZS0MyaVVKcVh1SXRPTXV6dEZaVEt3'


    api_instance = kubernetes.client.BatchV1Api(kubernetes.client.ApiClient(configuration))

    namespace = 'default'
    body = kubernetes.client.V1Job()
    pretty = 'pretty_example' # str | If 'true', then the output is pretty printed. (optional)
    field_manager = 'cloud_function_job_create'


    try: 
        api_response = api_instance.create_namespaced_job(namespace, body, pretty=pretty)
        pprint(api_response)
    except ApiException as e:
        print("Exception when calling BatchV1Api->create_namespaced_job: %s\n" % e)


if __name__ == '__main__':
    create()

The above results in:

Exception when calling BatchV1Api->create_namespaced_job: (401)
Reason: Unauthorized
HTTP response headers: HTTPHeaderDict({'Content-Type': 'application/json', 'Date': 'Wed, 12 Jun 2019 22:21:21 GMT', 'Content-Length': '129'})
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}

Am I perhaps meant to include the certificate? If so how do I specify this?

I have added the cluster-admin ClusterRoleBinding for this service account:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cloud-function-job-create
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: cloud-function-job-create
  namespace: kube-system
-- Chris Stryczynski
kubernetes
kubernetes-python-client

1 Answer

6/12/2019

Bearer token was not base64 decoded... Argh

-- Chris Stryczynski
Source: StackOverflow