Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

The request failed with unexpected status code 'Forbidden' when connecting to GKE

See original GitHub issue

First of all, thank you for this library! I totally agree with the design philosophy and the API feels so much more ergonomic than the official client.

I tried it to get all pods in a kubectl get pods fashion (using ~/.kube/config):

K8sConfig config = K8sConfig.Load();
KubeClientOptions clientOptions = config.ToKubeClientOptions(
    defaultKubeNamespace: "default"
);
clientOptions.LogHeaders = true;
clientOptions.LogPayloads = true;
var loggerFactory = new LoggerFactory();
loggerFactory.AddFile("test.log", LogLevel.Trace);
client = KubeApiClient.Create(clientOptions, loggerFactory);

but I always get this error:

HTTPlease.HttpRequestException`1[KubeClient.Models.StatusV1]: The request failed with unexpected status code 'Forbidden'.
   at HTTPlease.FormatterResponseExtensions.ReadContentAsAsync[TBody,TError](HttpResponseMessage responseMessage, HttpStatusCode[] successStatusCodes)
   at KubeClient.ResourceClients.KubeResourceClient.GetResourceList[TResourceList](HttpRequest request, CancellationToken cancellationToken)
   at KubeClient.ResourceClients.PodClientV1.List(String labelSelector, String kubeNamespace, CancellationToken cancellationToken)
   at Kubectl.GetKubePodCmdlet.ProcessRecord() in /Users/felix/src/github.com/felixfbecker/PSKubectl/src/GetKubePodCmdlet.cs:line 23
   at System.Management.Automation.Cmdlet.DoProcessRecord()
   at System.Management.Automation.CommandProcessor.ProcessRecord()

The cluster is hosted on Google Kubernetes Engine. kubectl get pods lists the pods successfully.

These are the logs:

2018-08-16T17:07:16.9259220+02:00  [DBG] Performing "GET" request to 'https://35.202.230.255/api/v1/namespaces/default/pods'. (cd91936f)
2018-08-16T17:07:18.8543420+02:00  [DBG] Receive response body for "GET" request to 'https://35.202.230.255/api/v1/namespaces/default/pods' (Forbidden):
"{\"kind\":\"Status\",\"apiVersion\":\"v1\",\"metadata\":{},\"status\":\"Failure\",\"message\":\"pods is forbidden: User \\"system:anonymous\\" cannot list pods in the namespace \\"default\\": No policy matched.\nUnknown user \\"system:anonymous\\"\",\"reason\":\"Forbidden\",\"details\":{\"kind\":\"pods\"},\"code\":403}
" (29add6de)
2018-08-16T17:07:18.8547270+02:00  [DBG] Completed "GET" request to 'https://35.202.230.255/api/v1/namespaces/default/pods' (Forbidden). (be205803)

This is the auth config in kubeconfig:

user:
    auth-provider:
      config:
        access-token: REDACTED
        cmd-args: config config-helper --format=json
        cmd-path: /Users/felix/google-cloud-sdk/bin/gcloud
        expiry: 2018-08-15T18:06:19Z
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp

Any idea why kubectl get pods works but KubeClient fails?