By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Kubectl couldn't connect to EKS cluster: Unable to connect to the server: getting credentials: decoding stdout: yaml: did not find expected comment or line break

0

Hi, I'm trying to connect to an EKS cluster with kubectl. For this purpose I have configured the kubeconfig file with the following command: aws eks update-kubeconfig --region eu-west-1 --name cluster_name --profile myprofile

The kubeconfig is correct :

apiVersion: v1 clusters:

  • cluster: certificate-authority-data: server: https://EC89XB6.gr7.eu-west-1.eks.amazonaws.com name: arn:aws:eks:eu-west-1:234529526209:cluster/dcp-sandbox-eks contexts:
  • context: cluster: arn:aws:eks:eu-west-1:x:cluster/-eks user: arn:aws:eks:eu-west-1::cluster/-eks name: arn:aws:eks:eu-west-1:cluster/-eks current-context: arn:aws:eks:eu-west-1::cluster/eks kind: Config preferences: {} users:
  • name: arn:aws:eks:eu-west-1:xxxx:cluster/xxxx-eks user: exec: apiVersion: client.authentication.k8s.io/v1beta1 args: - --region - eu-west-1 - eks - get-token - --cluster-name - -eks - --output - json command: aws env: - name: AWS_PROFILE value: myprofile

I have even executed the command to get the token and it works. aws eks get-token --cluster-name eks_cluster_name --region eu-west-1 --output json --profile myprofile

When I try to execute a command with the kubectl like: kubectl get svc I get the following error:

E0323 17:07:47.316581 90145 memcache.go:265] couldn't get current server API group list: Get "https://EC89X2E03FB6.gr7.eu-west-1.eks.amazonaws.com/api?timeout=32s": getting credentials: decoding stdout: yaml: did not find expected comment or line break Unable to connect to the server: getting credentials: decoding stdout: yaml: did not find expected comment or line break

For more information the cluster version is 1.29 kubectl version 1.29.3 aws cli version: aws-cli/2.15.25 I'm on MacOS

I've also checked that my role is in the configmap aws-auth. With the same role I can access to the cluster.

Same error when I try this command: kubectl get pods --kubeconfig ~/.kube/config

I get informations when I do this command aws eks describe-cluster --name -eks --region eu-west-1 --query cluster.resourcesVpcConfig --profile myprofile

EDIT: I launched the command in the tracing mode:

kubectl get svc -v=9

and I found that kubectl is using curl. Unfortunately the curl is failing to get the current server API group list. Nothing new!

So I decided, to extract the curl command and execute it to see the result:

curl -v -XGET  -H "Accept: application/json;g=apidiscovery.k8s.io;v=v2beta1;as=APIGroupDiscoveryList,application/json" -H "User-Agent: kubectl/v1.29.0 (darwin/amd64) kubernetes/3034fd4" 'https://EC8B6.gr7.eu-west-1.eks.amazonaws.com/api?timeout=32s'

and the result was

Note: Unnecessary use of -X or --request, GET is already inferred.

  • Trying 52..179:443...
  • Connected to EC89XB6.gr7.eu-west-1.eks.amazonaws.com (52..179) port 443
  • ALPN: curl offers h2,http/1.1
  • (304) (OUT), TLS handshake, Client hello (1):
  • CAfile: /Users/......pem
  • CApath: none
  • (304) (IN), TLS handshake, Server hello (2):
  • (304) (IN), TLS handshake, Unknown (8):
  • (304) (IN), TLS handshake, Request CERT (13):
  • (304) (IN), TLS handshake, Certificate (11):
  • SSL certificate problem: unable to get local issuer certificate
  • Closing connection curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

As my company is using Zscaler as a Gateway for internet, I thougth that is a good idea to configure curl to get the root Zscaler certificate, with ni hope...

For you information, for AWS cli I have configured the variables: REQUESTS_CA_BUNDLE and AWS_CA_BUNDLE

For curl I have configured this variables in my bashrc file: CURL_CA_BUNDLE, SSL_CERT_FILE, CERT_PATH

I'm not sure if the problem is linked with the Zscaler certificates.

Should I add AWS root certificates on my machine?

Thanks for any help

Could you please help me. I have no clue what can cause the issue.

Topics
Containers
Tags
Amazon Elastic Kubernetes Service
Language
English
Issa
asked a month ago546 views
1 Answer
1

The most probable cause of the issue is likely incorrect formatting or syntax errors in the kubeconfig file, particularly in the token command section. To address this, it's important to carefully review the formatting and use an online YAML validator to ensure the file's syntax is correct.

Note: Using a YAML validator can help identify syntax errors, but it may not resolve your issue; it's a useful step to narrow down the cause.

profile picture
EXPERT
Osvaldo Marte
answered a month ago
  • Issa
    a month ago

    Thanks Osvaldo. It's not the kubeconfig file. Please take a look at my edit.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content