Get Unauthorized when using KubernetesClient in Azure webapp

[fsigalov]

I'm using a kubeconfig file that works with kubectl, but is not working through KubernetesClient in an Azure webapp. This is working on my dev machine. I'm not sure what issue the IIS hosting is causing. I saw this issue but the cert it's creating from the kubeconfig file already has DigitalSignature set. Here's my code

            var configModel = KubernetesClientConfiguration.LoadKubeConfig(m_kubeConfig);
            var config = KubernetesClientConfiguration.BuildConfigFromConfigObject(configModel);
            HttpClientHandler handler = new HttpClientHandler();
            handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
            handler.SslProtocols = System.Security.Authentication.SslProtocols.Tls12;
            handler.ClientCertificateOptions = ClientCertificateOption.Manual;
            HttpClient httpClient = new HttpClient(handler);
            kubernetesClient = new Kubernetes(config, httpClient);

[fsigalov]

It turned out that the above code was not working locally either. I updated the code to set a ClientCert on the handler. handler.ClientCertificates.Add(CertUtils.GeneratePfx(config)); And that fixes my local run, but it changes the Azure error to "The request was aborted: Could not create SSL/TLS secure channel."

[brendandburns]

fwiw, you should definitely not set HttpClientHandler.DangerousAcceptAnyServerCertificateValidator

It shouldn't be necessary, and it makes it possible for someone to man in the middle your SSL.

I don't know about what might be different in Azure WebApps, is the version of dotnet the same in both cases?

[fsigalov]

I understand that, I'm trying to get it to work at all. I can reduce it to the necessary steps after that. Yes dotnet should be the same. I'm using framework 4.7.2.

[k8s-triage-robot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[tg123]

merge to #643