Skip to content

Fix regressions in Configuration.get_api_key_with_prefix bearer-token prefix lookup#2618

Open
HaimLC wants to merge 1 commit into
kubernetes-client:masterfrom
HaimLC:bearer-token-prefix-alias-fix
Open

Fix regressions in Configuration.get_api_key_with_prefix bearer-token prefix lookup#2618
HaimLC wants to merge 1 commit into
kubernetes-client:masterfrom
HaimLC:bearer-token-prefix-alias-fix

Conversation

@HaimLC

@HaimLC HaimLC commented Jul 2, 2026

Copy link
Copy Markdown

What type of PR is this?

/kind bug
/kind regression

What this PR does / why we need it:

#2604 restored the api_key['authorization'] fallback in auth_settings() by calling get_api_key_with_prefix('BearerToken', alias='authorization'), but get_api_key_with_prefix only applies the alias fallback to the api_key lookup, not the api_key_prefix lookup:

key = self.api_key.get(identifier, self.api_key.get(alias) if alias is not None else None)
if key:
    prefix = self.api_key_prefix.get(identifier)  # never checks `alias`

So callers that set the prefix under the legacy 'authorization' key (rather than embedding "Bearer " directly in the token string) get a bearer token with no "Bearer " prefix in the resulting Authorization header. Most API servers — and specifically GKE's anonymous-auth fallback — don't recognize an unprefixed token as a valid bearer credential, so the request is treated as system:anonymous.

This reproduces with a plain manual Configuration(), no load_incluster_config()/load_kube_config() involved:

from kubernetes import client

configuration = client.Configuration()
configuration.api_key["authorization"] = "<token>"
configuration.api_key_prefix["authorization"] = "Bearer"

print(configuration.auth_settings())
# before this PR: value = '<token>'          (missing "Bearer " prefix)
# after this PR:  value = 'Bearer <token>'   (correct)

This PR applies the same alias fallback already used for the key lookup to the prefix lookup, symmetrically in the sync (kubernetes/client/configuration.py) and async (kubernetes/aio/client/configuration.py) variants.

Verified against a real cluster in production: a service using this exact pattern (manual Configuration with api_key/api_key_prefix under 'authorization', talking to an external GKE cluster) was hitting system:anonymous on 36.0.2. Built this fix into that service via a git+ dependency pointing at this branch and confirmed it now authenticates correctly against the live cluster with zero code changes on the caller's side.

Which issue(s) this PR fixes:

Fixes #2592

Does this PR introduce a user-facing change?

Fixed a regression where `Configuration.auth_settings()` would drop the `"Bearer "` prefix for callers using the legacy `api_key['authorization']` / `api_key_prefix['authorization']` convention, causing requests to be sent without a valid Authorization header and rejected as `system:anonymous`. This is a follow-up to the fix in #2604, which restored the key fallback but missed the prefix fallback.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


Copilot AI review requested due to automatic review settings July 2, 2026 08:59
@kubernetes-prow kubernetes-prow Bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. kind/bug Categorizes issue or PR as related to a bug. kind/regression Categorizes issue or PR as related to a regression from a prior release. labels Jul 2, 2026
@linux-foundation-easycla

linux-foundation-easycla Bot commented Jul 2, 2026

Copy link
Copy Markdown

CLA Not Signed

@kubernetes-prow

Copy link
Copy Markdown
Contributor

Welcome @HaimLC!

It looks like this is your first PR to kubernetes-client/python 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-client/python has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@kubernetes-prow kubernetes-prow Bot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 2, 2026
@kubernetes-prow kubernetes-prow Bot requested review from roycaihw and yliaog July 2, 2026 08:59
@kubernetes-prow

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: HaimLC
Once this PR has been reviewed and has the lgtm label, please assign yliaog for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@HaimLC HaimLC changed the title Apply alias fallback to prefix lookup in get_api_key_with_prefix Fix regressions in Configuration.get_api_key_with_prefix bearer-token prefix lookup Jul 2, 2026
PR 2604 restored the api_key['authorization'] fallback in auth_settings()
by calling get_api_key_with_prefix('BearerToken', alias='authorization'),
but get_api_key_with_prefix only applied `alias` to the api_key lookup, not
the api_key_prefix lookup. Callers that set the prefix under the legacy
'authorization' key (rather than embedding "Bearer " directly in the token)
get a bearer token with no "Bearer " prefix, which most API servers (and
GKE's anonymous-auth fallback) don't recognize as a valid Authorization
header -> system:anonymous.

Apply the same alias fallback to the prefix lookup, symmetrically in the
sync (kubernetes/client/configuration.py) and async
(kubernetes/aio/client/configuration.py) variants, matching the pattern
PR 2604 already established for the key lookup.

See kubernetes-client#2592

Signed-off-by: HaimLC <110099998+HaimLC@users.noreply.github.com>
@HaimLC HaimLC force-pushed the bearer-token-prefix-alias-fix branch from 1b5a8f8 to 5a8b6a5 Compare July 2, 2026 09:01
@kubernetes-prow kubernetes-prow Bot removed the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Jul 2, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a regression in Configuration.get_api_key_with_prefix() where the alias= fallback was applied to api_key but not to api_key_prefix, causing legacy bearer-token configurations (token and "Bearer" prefix stored separately under 'authorization') to emit an unprefixed Authorization header value.

Changes:

  • Apply alias fallback to api_key_prefix lookup in the sync Configuration.get_api_key_with_prefix().
  • Apply the same alias fallback to api_key_prefix lookup in the async aio Configuration.get_api_key_with_prefix().
  • Add a regression test covering the legacy split token/prefix case for the sync configuration.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
kubernetes/client/configuration.py Adds alias fallback to the prefix lookup so legacy 'authorization' prefix keys are honored.
kubernetes/aio/client/configuration.py Mirrors the same alias fallback behavior in the async configuration implementation.
kubernetes/test/test_api_client.py Adds a regression test ensuring split api_key/api_key_prefix under 'authorization' produces a properly prefixed bearer value.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines 389 to 393
key = self.api_key.get(identifier, self.api_key.get(alias) if alias is not None else None)
if key:
prefix = self.api_key_prefix.get(identifier)
prefix = self.api_key_prefix.get(
identifier, self.api_key_prefix.get(alias) if alias is not None else None)
if prefix:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. kind/regression Categorizes issue or PR as related to a regression from a prior release. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

v36.0.0 regression: load_incluster_config() sends requests as system:anonymous on GKE

2 participants