Hi,
I'm trying to connect to an EKS cluster with kubectl. For this purpose I have configured the kubeconfig file with the following command:
aws eks update-kubeconfig --region eu-west-1 --name cluster_name --profile myprofile
The kubeconfig is correct :
apiVersion: v1
clusters:
- cluster:
certificate-authority-data:
server: https://EC89XB6.gr7.eu-west-1.eks.amazonaws.com
name: arn:aws:eks:eu-west-1:234529526209:cluster/dcp-sandbox-eks
contexts:
- context:
cluster: arn:aws:eks:eu-west-1:x:cluster/-eks
user: arn:aws:eks:eu-west-1::cluster/-eks
name: arn:aws:eks:eu-west-1:cluster/-eks
current-context: arn:aws:eks:eu-west-1::cluster/eks
kind: Config
preferences: {}
users:
- name: arn:aws:eks:eu-west-1:xxxx:cluster/xxxx-eks
user:
exec:
apiVersion: client.authentication.k8s.io/v1beta1
args:
- --region
- eu-west-1
- eks
- get-token
- --cluster-name
- -eks
- --output
- json
command: aws
env:
- name: AWS_PROFILE
value: myprofile
I have even executed the command to get the token and it works.
aws eks get-token --cluster-name eks_cluster_name --region eu-west-1 --output json --profile myprofile
When I try to execute a command with the kubectl like: kubectl get svc I get the following error:
E0323 17:07:47.316581 90145 memcache.go:265] couldn't get current server API group list: Get "https://EC89X2E03FB6.gr7.eu-west-1.eks.amazonaws.com/api?timeout=32s": getting credentials: decoding stdout: yaml: did not find expected comment or line break
Unable to connect to the server: getting credentials: decoding stdout: yaml: did not find expected comment or line break
For more information the cluster version is 1.29
kubectl version 1.29.3
aws cli version: aws-cli/2.15.25
I'm on MacOS
I've also checked that my role is in the configmap aws-auth. With the same role I can access to the cluster.
Same error when I try this command:
kubectl get pods --kubeconfig ~/.kube/config
I get informations when I do this command
aws eks describe-cluster --name -eks --region eu-west-1 --query cluster.resourcesVpcConfig --profile myprofile
EDIT:
I launched the command in the tracing mode:
kubectl get svc -v=9
and I found that kubectl is using curl.
Unfortunately the curl is failing to get the current server API group list. Nothing new!
So I decided, to extract the curl command and execute it to see the result:
curl -v -XGET -H "Accept: application/json;g=apidiscovery.k8s.io;v=v2beta1;as=APIGroupDiscoveryList,application/json" -H "User-Agent: kubectl/v1.29.0 (darwin/amd64) kubernetes/3034fd4" 'https://EC8B6.gr7.eu-west-1.eks.amazonaws.com/api?timeout=32s'
and the result was
Note: Unnecessary use of -X or --request, GET is already inferred.
- Trying 52..179:443...
- Connected to EC89XB6.gr7.eu-west-1.eks.amazonaws.com (52..179) port 443
- ALPN: curl offers h2,http/1.1
- (304) (OUT), TLS handshake, Client hello (1):
- CAfile: /Users/......pem
- CApath: none
- (304) (IN), TLS handshake, Server hello (2):
- (304) (IN), TLS handshake, Unknown (8):
- (304) (IN), TLS handshake, Request CERT (13):
- (304) (IN), TLS handshake, Certificate (11):
- SSL certificate problem: unable to get local issuer certificate
- Closing connection
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
As my company is using Zscaler as a Gateway for internet, I thougth that is a good idea to configure curl to get the root Zscaler certificate, with ni hope...
For you information, for AWS cli I have configured the variables: REQUESTS_CA_BUNDLE and AWS_CA_BUNDLE
For curl I have configured this variables in my bashrc file: CURL_CA_BUNDLE, SSL_CERT_FILE, CERT_PATH
I'm not sure if the problem is linked with the Zscaler certificates.
Should I add AWS root certificates on my machine?
Thanks for any help
Could you please help me.
I have no clue what can cause the issue.
Thanks Osvaldo. It's not the kubeconfig file. Please take a look at my edit.