kubectl exec does not work with kubectl proxy

Question

I wanted to execute kubectl exec command and connect to a container, so that I can execute some commands on it. I have set the proxy with the following command:

kubectl proxy -p=8080 --kubeconfig=/directory_path/remote-kubeconfig &

proxy started running. I tried executing kubectl exec command:

kubectl exec -it <pod> --namespace=<namespace> -c <container> -- ls -l

I got the following error:

error: unable to upgrade connection: <h3>Unauthorized</h3>

Did I missed anything while executing kubectl exec command ?? Please help.

Answer 1

By default, kubectl proxy rejects API commands matching ^/api/./pods/./exec.

All you need to do in order to "bypass" this is start kubectl proxy with the appropriate flags:

kubectl proxy --port 8080 --reject-paths "^/api/./pods/./attach"

Of course, this comes with the security risk that anyone with access to your proxy can now exec into any of the pods on the cluster.

If you actually need to do this in a production environment, I highly recommend restricting what the proxy has access to using RBAC authorization - run the proxy as a Deployment with a ServiceAccount.

For more information, see:

https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#proxy https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Answer 2

I got a solution for this problem but not a good one.

I issued --disable-filter along with kubectl proxy command. After that, I could execute kubectl exec commands successfully.

But when I use --disable-filter, it is prone to vulnerability. A message Request filter disabled, your proxy is vulnerable to XSRF attacks, please be cautious is displayed with --disable-filter.

so, I dont think that this is a good solution.

Please let me know, if any one knows better solution for this problem.