Having problem in authenticating kubernetes python client

7/23/2019

my lisNamespaces.py file

from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException

configuration = kubernetes.client.Configuration()
configuration.ssl_ca_cert = 'LS0XXXXXXXXXS0tLQo='
configuration.api_key['authorization'] = 'ZXXXXXXXXXXdw=='
configuration.api_key_prefix['authorization'] = 'Bearer'
configuration.host = 'https://aaaaaaaaaaaaaaa.gr7.us-east-1.eks.amazonaws.com'
#configuration.verify_ssl = False


api_instance = kubernetes.client.CoreV1Api(kubernetes.client.ApiClient(configuration))
api_response = api_instance.list_namespace()
for i in api_response.items:
    print(i.metadata.name)

For ssl_ca_cert value i did kubectl edit secret nameofsa-token-xyze -n default and used ca.crt value. user has cluster level admin permissions

For bearer token i have used same user TOKEN.

If i disable ssl verification by setting configuration.verify_ssl = False my code works fine but with an warining.

i want to know what mistake i am doing here in passing ssl_ca_cert. please help me with this.

-- naveen kumar
kubernetes
kubernetes-python-client
ssl-client-authentication

2 Answers

7/23/2019

You can test the token with basic request:

import requests

with open('/path/to/token', 'r') as token_file:
    token=token_file.read()

url = 'https://my-kubernetes-cluster'

headers = {"Authorization":"Bearer "+token}

r = requests.get(url, verify='/path/to/ca_chain.crt', headers=headers)

for line in r.iter_lines():
    print line

If the request goes through you can test this code:

from kubernetes import client
from kubernetes.client import Configuration, ApiClient
config = Configuration()
config.api_key = {'authorization': 'Bearer <api_key>'}
config.host = 'https://my-kubernetes-cluster'
config.ssl_ca_cert = "/path/to/ca_chain.crt"

api_client = ApiClient(configuration=config)
v1 = client.CoreV1Api(api_client)

v1.list_pod_for_all_namespaces(watch=False)

Try and let me know if it works for you.

-- Crou
Source: StackOverflow

7/23/2019

Mistake i did was to pass data of ca.crt which i got from kubectl edit secret nameofsa-token-xyze -n default directly to configuration.ssl_ca_cert in the code.

Instead what should be done is to decode the data using base64 --decode, which i got from above command(kubectl edit secret nameofsa-token-xyze -n default), this is how i did it.

kubectl get secrets default-token-nqkdv -n default -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.crt.

Then i need to pass the path of ca.crt file in the code, so final code look like below

from __future__ import print_function
import time
import kubernetes.client
from kubernetes.client.rest import ApiException

configuration = kubernetes.client.Configuration()
configuration.ssl_ca_cert = 'ca.crt'
configuration.api_key['authorization'] = 'ZXXXXXXXXXXdw=='
configuration.api_key_prefix['authorization'] = 'Bearer'
configuration.host = 'https://aaaaaaaaaaaaaaa.gr7.us-east-1.eks.amazonaws.com'

api_instance = kubernetes.client.CoreV1Api(kubernetes.client.ApiClient(configuration))
api_response = api_instance.list_namespace()
for i in api_response.items:
    print(i.metadata.name)
-- naveen kumar
Source: StackOverflow