The arcaflow-lib-kubernetes-python from arcalot

Api client not able to properly be set when no certs are in kubeconfig

Describe the bug

When running krkn on an aro cluster we found that the api client can not properly authenticate/configure the kubeconfig with the kube:admin user. (See last section for error output) Think this is because the kubeconfig does not have any certs to properly set in the api rest client

We also found this on ibmcloud

Sample kubeconfig file

apiVersion: v1
clusters:
- cluster:
    server: https://api.***.eastus.aroapp.io:6443
  name: api-*****-eastus-aroapp-io:6443
contexts:
- context:
    cluster: api-****-eastus-aroapp-io:6443
    namespace: default
    user: kube:admin/api-****-eastus-aroapp-io:6443
  name: default/api-****-eastus-aroapp-io:6443/kube:admin
current-context: default/api-***-eastus-aroapp-io:6443/kube:admin
kind: Config
preferences: {}
users:
- name: kube:admin/api-***-eastus-aroapp-io:6443
  user:
    token: REDACTED

To reproduce

Create an aro cluster
Login as kubeadmin
Clone krkn repo
Install requirements
Set kubeconfig path and scenarios to only

plugin_scenarios:
- scenarios/openshift/etcd.yml

Run python run_kraken.py

Additional context

We could try to pass the token as part of the apiclient initiation
https://github.com/arcalot/arcaflow-lib-kubernetes-python/blob/b58d8b84c490e5c17567f0a940e0567e13bd3d09/src/arcaflow_lib_kubernetes/convert.py#L392C35-L392C35

Local krkn run output

% python run_kraken.py
 _              _              
| | ___ __ __ _| | _____ _ __  
| |/ / '__/ _` | |/ / _ \ '_ \ 
|   <| | | (_| |   <  __/ | | |
|_|\_\_|  \__,_|_|\_\___|_| |_|
                               

2023-06-28 12:09:40,717 [INFO] Starting kraken
2023-06-28 12:09:40,730 [INFO] Initializing client to talk to the Kubernetes cluster
 kubeconfig_string None
 kubeconfig_path /Users/prubenda/.kube/aro_kubeconfig
config sha256~xb9gHu95LL4jRRfE_KoY9X41FmiV23TaL8SiwQGtwnk
Traceback (most recent call last):
  File "/Users/prubenda/PycharmProjects/kraken/run_kraken.py", line 435, in <module>
    main(options.cfg)
  File "/Users/prubenda/PycharmProjects/kraken/run_kraken.py", line 109, in main
    kubecli.find_kraken_node()
  File "/Users/prubenda/PycharmProjects/kraken/venv3/lib/python3.10/site-packages/krkn_lib_kubernetes/client.py", line 1089, in find_kraken_node
    pods = self.get_all_pods()
  File "/Users/prubenda/PycharmProjects/kraken/venv3/lib/python3.10/site-packages/krkn_lib_kubernetes/client.py", line 416, in get_all_pods
    ret = self.cli.list_pod_for_all_namespaces(pretty=True)
  File "/Users/prubenda/PycharmProjects/kraken/venv3/lib/python3.10/site-packages/kubernetes/client/api/core_v1_api.py", line 17309, in list_pod_for_all_namespaces
    return self.list_pod_for_all_namespaces_with_http_info(**kwargs)  # noqa: E501
  File "/Users/prubenda/PycharmProjects/kraken/venv3/lib/python3.10/site-packages/kubernetes/client/api/core_v1_api.py", line 17416, in list_pod_for_all_namespaces_with_http_info
    return self.api_client.call_api(
  File "/Users/prubenda/PycharmProjects/kraken/venv3/lib/python3.10/site-packages/kubernetes/client/api_client.py", line 348, in call_api
    return self.__call_api(resource_path, method,
  File "/Users/prubenda/PycharmProjects/kraken/venv3/lib/python3.10/site-packages/kubernetes/client/api_client.py", line 180, in __call_api
    response_data = self.request(
  File "/Users/prubenda/PycharmProjects/kraken/venv3/lib/python3.10/site-packages/kubernetes/client/api_client.py", line 373, in request
    return self.rest_client.GET(url,
  File "/Users/prubenda/PycharmProjects/kraken/venv3/lib/python3.10/site-packages/kubernetes/client/rest.py", line 241, in GET
    return self.request("GET", url,
  File "/Users/prubenda/PycharmProjects/kraken/venv3/lib/python3.10/site-packages/kubernetes/client/rest.py", line 235, in request
    raise ApiException(http_resp=r)
kubernetes.client.exceptions.ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'Audit-Id': '59d4bd00-aad6-42a8-a45a-1d3b72da7ca0', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': 'e8e85a06-85e7-468e-ab9d-d4a3a3bdbd3d', 'X-Kubernetes-Pf-Prioritylevel-Uid': '2129a0ac-eab4-4e3e-ada6-5c0595ac22fb', 'Date': 'Wed, 28 Jun 2023 16:09:40 GMT', 'Content-Length': '294'})
HTTP response body: {
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "pods is forbidden: User \"system:anonymous\" cannot list resource \"pods\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "pods"
  },
  "code": 403
}

Kubernetes credentials reading

Please describe what you would like to see in this project

Take a Go-style Kubernetes connection structure and create a Kubernetes client connection.

Please describe your use case

Standardized Kubernetes connection structure.

Improve testing to cover ARO kubeconfig test case

Please describe what you would like to see in this project

Add a new ARO or IBM cloud kubeconfig to the test data which does not have a ca cert/key and only has a bearer token.

This helps avoid issues like this in the future: #6
Also related to #7

arcalot / arcaflow-lib-kubernetes-python Goto Github PK

arcaflow-lib-kubernetes-python's People

Contributors

Watchers

Forkers

arcaflow-lib-kubernetes-python's Issues

Api client not able to properly be set when no certs are in kubeconfig

Describe the bug

To reproduce

Additional context

Kubernetes credentials reading

Please describe what you would like to see in this project

Please describe your use case

Improve testing to cover ARO kubeconfig test case

Please describe what you would like to see in this project

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

Jobs