K
Q

Is Authorization: Bearer different than kubectl --token?

2/4/2020

Using --token flag results in a successful query, but using curl results in a 401.

kubectl --token=eyJhbGciOiJSUzI1NiIsInR... get ns
NAME              STATUS   AGE
default           Active   3m47s
kube-node-lease   Active   3m48s
kube-public       Active   3m48s
kube-system       Active   3m48s

curl -XGET -H "Authorization: Bearer $TOKEN" -k https://192.168.64.13:8443/apis
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}%

What is the difference between these two options? My understanding was that they are the same.

My token is a JWT provided by keycloak.

Edit: More info per responses below...

Running with high verbosity yields a curl request.

 k --v=9 --token=$TOKEN get po
I0204 09:10:08.439084   26734 loader.go:375] Config loaded from file:  /Users/me/.kube/config
I0204 09:10:08.445696   26734 round_trippers.go:423] curl -k -v -XGET  -H "Accept: application/json;as=Table;v=v1beta1;g=meta.k8s.io, application/json" -H "User-Agent: kubectl/v1.17.1 (darwin/amd64) kubernetes/d224476" -H "Authorization: Bearer eyJhbGciOiJSUzI1...." 'https://192.168.64.13:8443/api/v1/namespaces/default/pods?limit=500'
I0204 09:10:08.464046   26734 round_trippers.go:443] GET https://192.168.64.13:8443/api/v1/namespaces/default/pods?limit=500 200 OK in 18 milliseconds
I0204 09:10:08.464070   26734 round_trippers.go:449] Response Headers:
I0204 09:10:08.464074   26734 round_trippers.go:452]     Date: Tue, 04 Feb 2020 17:10:08 GMT
I0204 09:10:08.464078   26734 round_trippers.go:452]     Cache-Control: no-cache, private
I0204 09:10:08.464082   26734 round_trippers.go:452]     Content-Type: application/json
I0204 09:10:08.464086   26734 round_trippers.go:452]     Content-Length: 2931
I0204 09:10:08.464127   26734 request.go:1017] Response Body: {"kind":"Table",..... VALID RESPONSE.

But Pasting the same curl returns 401

curl -k -v -XGET  -H "Accept: application/json;as=Table;v=v1beta1;g=meta.k8s.io, application/json" -H "User-Agent: kubectl/v1.17.1 (darwin/amd64) kubernetes/d224476" -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cC..." 'https://192.168.64.13:8443/api/v1/namespaces/default/pods?limit=500'

{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
* Connection #0 to host 192.168.64.13 left intact
* Closing connection 0

How can I perform the same query via curl and get results?

-- thisguy123
kubectl
kubernetes

Similar Questions

Istio auto scale up need to adjust circut breaker maxConnections (http 1.1)?
diff between whats active on cluster versus kustomize
Kubernetes cluster default timezone?
helm values from kubernetes secrets?

1 Answer

2/4/2020

Yes they are same as kubectl internally will do a curl to the API server endpoint.You can view what was the curl request sent to the Kubernetes API Server by running kubectl command with verbosity set and then compare that with the curl command that you are using.

kubectl --v=9 --token=eyJhbGciOiJSUzI1NiIsInR... get ns | grep curl
-- Arghya Sadhu
Source: StackOverflow