1

I have created EKS cluster using the IAM user. So now the system:creator is my own IAM user. I have configured the aws CLI and kubectl command line tools to use the credentials properly and both the comand line tools , aws and kubectl are working fine.

Now, Im trying to call the API to list the PODs in kube-system namespace using below curl command.

curl -v https://abc.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/pods?limit=500 --header "Authorization: Bearer $TOKEN" --cacert test.crt

TOKEN I have taken from using following command :

TOKEN': TOKEN=$(aws eks get-token --cluster-name test-clus --profile default)

test.crt file contains the base64 format of the certificate authority string provided by the EKS cluster (details page of the EKS cluster)

however, Im getting unauthorized error :

* TLSv1.2 (IN), TLS header, Supplemental data (23):
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
* Connection #0 to host abc.gr7.us-east-1.eks.amazonaws.com left intact
}

environment details :

EKS version : 1.24

aws cli version : aws-cli/2.9.15

kubectl version :

WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short.  Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.0", GitCommit:"b46a3f887ca979b1a5d14fd39cb1af43e7e5d12d", GitTreeState:"clean", BuildDate:"2022-12-08T19:58:30Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"24+", GitVersion:"v1.24.8-eks-ffeb93d", GitCommit:"abb98ec0631dfe573ec5eae40dc48fd8f2017424", GitTreeState:"clean", BuildDate:"2022-11-29T18:45:03Z", GoVersion:"go1.18.8", Compiler:"gc", Platform:"linux/amd64"}
WARNING: version difference between client (1.26) and server (1.24) exceeds the supported minor version skew of +/-1

not getting , what is the issue. Surprise thing is that , Im the creator of the EKS cluster, still not able to access API .

please suggest

user2315104
  • 2,378
  • 7
  • 35
  • 54
  • 1
    You'll want `| jq -r .status.token` since had you examined the output from `eks get-token` you'd have noticed it's wrapped in [an `v1beta1.ExecCredential` structure](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/eks/get-token.html#examples) but only the `k8s-aws-v1.aH...` part is meaningful to the api-server – mdaniel Feb 28 '23 at 02:35

0 Answers0