Why does using kubectl with impersonation --as= result in "The connection to the server localhost:8080 was refused" on a host with only the default service account configured?
I have downloaded kubectl to a host with only the default service account configured. If I try to impersonate any user, e.g. system:anonymous, the following error message is returned: "The connection to the server localhost:8080 was refused".
I can resolve the issue by starting a local proxy using kubectl proxy --port=8080, however, I would like to avoid this.
Why does kubectl try to connect to localhost:8080, when using impersonation (--as=)?
kube@ctf1-k8s-deploy1-545977f47-g9dpl:~$ kubectl config view
apiVersion: v1
clusters: null
contexts: null
current-context: ""
kind: Config
preferences: {}
users: null
kube@ctf1-k8s-deploy1-545977f47-g9dpl:~$ ls /var/run/secrets/kubernetes.io/serviceaccount/
ca.crt namespace token
kube@ctf1-k8s-deploy1-545977f47-g9dpl:~$ kubectl auth can-i --list --as=system:anonymous
The connection to the server localhost:8080 was refused - did you specify the right host or port?The clusters need to have the host and port of the Kubernetes API Server.
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://API_SERVER_HOST:PORTEdit:
When --as is added as parameter to kubectl auth can-i then kubectl is not using in-cluster configuration any more which is why its referring to localhost:8080 instead of correct API Server IP.