How to send token within url in Kubernetes?

Question

I want to use websocket to access Kubernetes API, and so it is more convenient to send token like wss://example.com" + url + "&access_token=blahblahblah. The official API doc sends token in header. Where can I find such a token and send it with url?

What I want to do is to exec pods via a web page through websocket:

Container-Terminal via Websocket

Support exec and pod logging over WebSockets

Answer 1

There is currently no way to send Authorization headers using native javascript WebSockets.

• All third-party websocket libraries depend on the in-browser WebSocket class, which currently does not support custom headers. I tried a bunch of different libraries, but no luck :(
• See Stack Overflow thread here: https://stackoverflow.com/a/4361358
• The reason that this is not implemented is that Chromium/Chrome implementors are opposed to it. See the full discussion here: https://github.com/whatwg/websockets/issues/16#issuecomment-332065542

My workaround

Currently I'm working around this by using the @kubernetes/client-node in NodeJS to open a WebSocket connection.

The ws WebSocket library in NodeJS does support Authorization headers.

Then forwarding the NodeJS WebSocket messages to the front-end using Socket.io: https://stackoverflow.com/a/62547135.

Answer 2

Bearer token authentication in the URL is not supported in Kubernetes currently, only as an Authorization header.

Answer 3

After searching over the Internet and reading many discussion on Kubernetes, I post my own answer about accessing kubernetes API with password in url, not header:

wss://username:myPassword@Address.To.Kubernetes/api/v1/namespaces/default/pods/YourPodName/exec?stdout=1&stdin=1&stderr=1&tty=1&command=%2Fbin%2Fsh

The username and password is in ~/.kube/config

Welcome answers for sending bearer token.