-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handshake status 401 Unauthorized
during connect_get_namespaced_pod_exec when using service account
#2297
Comments
It's works from within a pod container running with the correct service account when using But it's very annoying and time-consuming if I need to build the docker image and redeploy it, before I can test it. I would like to be able to run the script from outside of the cluster, but having the same RBAC permissions. |
/help |
@roycaihw: GuidelinesPlease ensure that the issue body includes answers to the following questions:
For more details on the requirements of such an issue, please see here and ensure that they are met. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Comparing the configuration in both cases, there is a difference: the incluster config uses the internal IP address of the kubernetes API, while the KUBECONFIG config uses the external IP address. The cacert in both cases is the same. Not sure, if this is relevant. Traceback (most recent call last):
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/connectionpool.py", line 466, in _make_request
self._validate_conn(conn)
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/connectionpool.py", line 1095, in _validate_conn
conn.connect()
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/connection.py", line 730, in connect
sock_and_verified = _ssl_wrap_socket_and_match_hostname(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/connection.py", line 909, in _ssl_wrap_socket_and_match_hostname
ssl_sock = ssl_wrap_socket(
^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/util/ssl_.py", line 469, in ssl_wrap_socket
ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls, server_hostname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/util/ssl_.py", line 513, in _ssl_wrap_socket_impl
return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/python/current/lib/python3.12/ssl.py", line 455, in wrap_socket
return self.sslsocket_class._create(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/python/current/lib/python3.12/ssl.py", line 1041, in _create
self.do_handshake()
File "/usr/local/python/current/lib/python3.12/ssl.py", line 1319, in do_handshake
self._sslobj.do_handshake()
ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:1000)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/connectionpool.py", line 789, in urlopen
response = self._make_request(
^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/connectionpool.py", line 490, in _make_request
raise new_e
urllib3.exceptions.SSLError: EOF occurred in violation of protocol (_ssl.c:1000)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/workspaces/misc/python-client-test/python-client-test.py", line 88, in <module>
main()
File "/workspaces/misc/python-client-test/python-client-test.py", line 48, in main
pods = core_api.list_namespaced_pod(NAMESPACE)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/kubernetes/client/api/core_v1_api.py", line 15823, in list_namespaced_pod
return self.list_namespaced_pod_with_http_info(namespace, **kwargs) # noqa: E501
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/kubernetes/client/api/core_v1_api.py", line 15942, in list_namespaced_pod_with_http_info
return self.api_client.call_api(
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/kubernetes/client/api_client.py", line 348, in call_api
return self.__call_api(resource_path, method,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/kubernetes/client/api_client.py", line 180, in __call_api
response_data = self.request(
^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/kubernetes/client/api_client.py", line 373, in request
return self.rest_client.GET(url,
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/kubernetes/client/rest.py", line 244, in GET
return self.request("GET", url,
^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/kubernetes/client/rest.py", line 217, in request
r = self.pool_manager.request(method, url,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/_request_methods.py", line 135, in request
return self.request_encode_url(
^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/_request_methods.py", line 182, in request_encode_url
return self.urlopen(method, url, **extra_kw)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/poolmanager.py", line 443, in urlopen
response = conn.urlopen(method, u.request_uri, **kw)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/connectionpool.py", line 873, in urlopen
return self.urlopen(
^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/connectionpool.py", line 873, in urlopen
return self.urlopen(
^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/connectionpool.py", line 873, in urlopen
return self.urlopen(
^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/connectionpool.py", line 843, in urlopen
retries = retries.increment(
^^^^^^^^^^^^^^^^^^
File "/workspaces/misc/python-client-test/.venv/lib/python3.12/site-packages/urllib3/util/retry.py", line 519, in increment
raise MaxRetryError(_pool, url, reason) from reason # type: ignore[arg-type]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='172.16.128.1', port=443): Max retries exceeded with url: /api/v1/namespaces/test-ns/pods (Caused by SSLError(SSLEOFError(8, 'EOF occurred in violation of protocol (_ssl.c:1000)'))) |
What happened (please include outputs or screenshots):
I would like to use kubernetes-client to exec into a pod container. This script is to run from within another pod, so I need to work with a service account. For testing I run the script from my workstation command line, using my standard kubernetes (admin) user. So the idea is to switch to the service account from within the script (unconditionally for test purposes). This seems to work. But when I actually exec into a container, I receive an exception:
I've executed some more tests and figured out:
exec
also works fineI conclude: there seems to be an issue during protocol handover from REST to Web Socket (this is also suggested by the call stack).
Did I do something wrong? Is this a bug? Is there a workaround?
What you expected to happen:
I expected to be able to successfully exec into a container.
How to reproduce it (as minimally and precisely as possible):
This is my kubernetes test environment (use
kubectl apply -f
):and this is the script, I'm trying to execute:
Environment:
kubectl version
):base:1.0.10-bullseye
on Docker Desktop 4.21.1 on WSL2 on Windows 10 Version 22H2, Build 19045.4780The text was updated successfully, but these errors were encountered: