dotnet-kube-client: The request failed with unexpected status code 'Forbidden' when connecting to GKE

First of all, thank you for this library! I totally agree with the design philosophy and the API feels so much more ergonomic than the official client.

I tried it to get all pods in a kubectl get pods fashion (using ~/.kube/config):

K8sConfig config = K8sConfig.Load();
KubeClientOptions clientOptions = config.ToKubeClientOptions(
    defaultKubeNamespace: "default"
);
clientOptions.LogHeaders = true;
clientOptions.LogPayloads = true;
var loggerFactory = new LoggerFactory();
loggerFactory.AddFile("test.log", LogLevel.Trace);
client = KubeApiClient.Create(clientOptions, loggerFactory);

but I always get this error:

HTTPlease.HttpRequestException`1[KubeClient.Models.StatusV1]: The request failed with unexpected status code 'Forbidden'.
   at HTTPlease.FormatterResponseExtensions.ReadContentAsAsync[TBody,TError](HttpResponseMessage responseMessage, HttpStatusCode[] successStatusCodes)
   at KubeClient.ResourceClients.KubeResourceClient.GetResourceList[TResourceList](HttpRequest request, CancellationToken cancellationToken)
   at KubeClient.ResourceClients.PodClientV1.List(String labelSelector, String kubeNamespace, CancellationToken cancellationToken)
   at Kubectl.GetKubePodCmdlet.ProcessRecord() in /Users/felix/src/github.com/felixfbecker/PSKubectl/src/GetKubePodCmdlet.cs:line 23
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()

The cluster is hosted on Google Kubernetes Engine. kubectl get pods lists the pods successfully.

These are the logs:

2018-08-16T17:07:16.9259220+02:00  [DBG] Performing "GET" request to 'https://35.202.230.255/api/v1/namespaces/default/pods'. (cd91936f)
2018-08-16T17:07:18.8543420+02:00  [DBG] Receive response body for "GET" request to 'https://35.202.230.255/api/v1/namespaces/default/pods' (Forbidden):
"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"pods is forbidden: User \\"system:anonymous\\" cannot list pods in the namespace \\"default\\": No policy matched.\nUnknown user \\"system:anonymous\\"\",\"reason\":\"Forbidden\",\"details\":{\"kind\":\"pods\"},\"code\":403}
" (29add6de)
2018-08-16T17:07:18.8547270+02:00  [DBG] Completed "GET" request to 'https://35.202.230.255/api/v1/namespaces/default/pods' (Forbidden). (be205803)

This is the auth config in kubeconfig:

user:
    auth-provider:
      config:
        access-token: REDACTED
        cmd-args: config config-helper --format=json
        cmd-path: /Users/felix/google-cloud-sdk/bin/gcloud
        expiry: 2018-08-15T18:06:19Z
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp

Any idea why kubectl get pods works but KubeClient fails?

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 27 (20 by maintainers)

Commits related to this issue

Most upvoted comments

I can confirm that it works with kubectl proxy on stable WiFi 😃

+1
felixfbecker on Aug 19, 2018
Read more comments on GitHub
← dotnet-kube-client: The request failed with unexpected status code 'Forbidden' when connecting to AKS (dev spaces)
tinypilot: HID descriptor problems when attached to some hardware KVM swtiches →