EKS with idrsa integration auth issue

[k8sdevlk]

Auth issue with your client code and not sure how to fix it.

OS: MacOS Bigsur
Python: 3.9

Using included example code:

---

import asyncio
import logging

from kubernetes_asyncio import client, config

async def main():
await config.load_kube_config()
v1 = client.CoreV1Api()
print("Listing pods with their IPs:")
ret = await v1.list_pod_for_all_namespaces()

for i in ret.items:
    print(i.status.pod_ip, i.metadata.namespace, i.metadata.name)

if name == 'main':
logging.basicConfig(level=logging.DEBUG)
loop = asyncio.get_event_loop()
loop.run_until_complete(main())
loop.close()

---

kubectl works fine but using the script above, I'm getting the following error:

DEBUG:asyncio:Using selector: KqueueSelector
DEBUG:root:kubeconfig loader - current-context testcluster, cluster testcluster, user testclusteruser, provider None
DEBUG:root:Try to use exec provider
Listing pods with their IPs:
DEBUG:kubernetes_asyncio.client.rest:response body: b'{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:anonymous\" cannot list resource \"pods\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}\n'

why system:anonymous? I have authenticated with IAM role and able to use kubectl w/o issue already. The debug is correct context/user/cluster info.

The following library from kubernetes python library (not asyncio) works fine:

from kubernetes import client, config

config.load_kube_config()

v1 = client.CoreV1Api()

#namespaces = v1.list_namespace().to_dict()['items']
pods = v1.list_pod_for_all_namespaces().to_dict()['items']

print(pods)

Any specific change I need to make in order for kubernetes_asyncio to work on my local laptop for development?

Special thanks,

LK

[tomplus]

Thanks for your report. Could you provide your kubeconfig (without IPs, certs and passwords)? Which version of K8s do you use?

[k8sdevlk]

Hello Tom,

Below is the kubeconfig file I'm using:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: L*==
    server: https://testcluster-endpoint.us-east-1.eks.amazonaws.com
  name: testcluster
contexts:
- context:
    cluster: testcluster
    namespace: test
    user: testcluster
  name: testcluster
current-context: testcluster
kind: Config
preferences: {}
users:
- name: testclusteruser
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - eks
      - get-token
      - --cluster-name
      - testcluster
      command: aws
      env:
      - name: AWS_PROFILE
        value: testcluster_profile
      - name: AWS_DEFAULT_REGION
        value: us-east-1
      interactiveMode: IfAvailable
      provideClusterInfo: false

[k8sdevlk]

I have another question related to "watch" - does it handle reconnection if it gets disconnected for various reasons and is it indefinite connection or specific timeout built in?

[tomplus]

Could you try to downgrade to kubernetes-asyncio==21.7.1? There is similar issue where downgrade to previous version helps (#187 (comment)).

[k8sdevlk]

Downgrading to 21.7.1 works fine!

Thank you.

[tomplus]

@k8sdevlk It should be fixed now. Could you try with the latest version 22.6.1? Thanks.

[tomplus]

I assume that the problem is solved, please reopen if necessary. Thanks.