Token authorization works differently with native kubernetes client #371
Description
Problem description
Let's the code looks like (the sample has been got from the original package doc):
token = ...
host = ...
from kubernetes import client, config
from kubernetes_asyncio import client as aclient, config as aconfig
def m_sync():
cnft = client.Configuration()
cnft.api_key['authorization'] = token
cnft.api_key_prefix['authorization'] = 'Bearer'
cnft.host = host
cnft.verify_ssl = False
clnt = client.ApiClient(cnft)
apit = client.CoreV1Api(clnt)
pods = apit.list_pod_for_all_namespaces()
print("???", len(pods.items))
async def m_async():
cnft = aclient.Configuration()
cnft.api_key['authorization'] = token
cnft.api_key_prefix['authorization'] = 'Bearer'
cnft.host = host
cnft.verify_ssl = False
clnt = aclient.ApiClient(cnft)
apit = aclient.CoreV1Api(clnt)
pods = await apit.list_pod_for_all_namespaces()
print("???", len(pods.items))The m_sync() call (original kubernetes client) works fine, while await m_async() fails with:
ApiException: (403)
Reason: Forbidden
HTTP response headers: <CIMultiDictProxy('Audit-Id': 'ffc90878-4049-40d6-8785-457c72bf9702', 'Cache-Control': 'no-cache, private', 'Content-Length': '253', 'Content-Type': 'application/json', 'Date': 'Mon, 01 Sep 2025 17:36:37 GMT', 'X-Content-Type-Options': 'nosniff', 'X-Kubernetes-Pf-Flowschema-Uid': '91942f4e-d6aa-4dd7-8a9b-f3d6e3d8c78f', 'X-Kubernetes-Pf-Prioritylevel-Uid': '7037b042-e75b-4696-98ae-c594cc86ddf4')>
HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods is forbidden: User \"system:anonymous\" cannot list resource \"pods\" in API group \"\" at the cluster scope","reason":"Forbidden","details":{"kind":"pods"},"code":403}
Expected behaviour
The await m_async() should work fine and similarly to the m_sync()
Workaround available
Now to make the async code working I need to replace the api_key and api_key_prefix values with another keys for async code:
async def m_async():
...
cnft.api_key['BearerToken'] = token
cnft.api_key_prefix['BearerToken'] = 'Bearer'
...Issue explanation with the code
A reason of the issue is the buggy code probably copied from the original (old?) kubernetes client code:
(client/configuration.py)
async def auth_settings(self):
"""Gets Auth Settings dict for api client.
:return: The Auth Settings information dict.
"""
auth = {}
if 'BearerToken' in self.api_key:
auth['BearerToken'] = {
'type': 'api_key',
'in': 'header',
'key': 'authorization',
'value': await self.get_api_key_with_prefix(
'BearerToken',
),
}
return authThe original library now contains the following code at this point:
def auth_settings(self):
"""Gets Auth Settings dict for api client.
:return: The Auth Settings information dict.
"""
auth = {}
if 'authorization' in self.api_key:
auth['BearerToken'] = {
'type': 'api_key',
'in': 'header',
'key': 'authorization',
'value': self.get_api_key_with_prefix('authorization')
}
return authAs you can see, the only differene is a key.
Proposed solution
Replace the auth_settings method in the client/configuration.py by the following code:
async def auth_settings(self):
"""Gets Auth Settings dict for api client.
:return: The Auth Settings information dict.
"""
auth = {}
if 'authorization' in self.api_key:
auth['BearerToken'] = {
'type': 'api_key',
'in': 'header',
'key': 'authorization',
'value': await self.get_api_key_with_prefix('authorization')
}
return auth