Authentication

Configuring authentication in kr8s is optional as it will check the paths that kubectl uses.

import kr8s

client = kr8s.api()
import kr8s.asyncio

client = await kr8s.asyncio.api()

Lookup order:

  • ~/.kube/config (or the path set by the KUBECONFIG environment variable)

  • /var/run/secrets/kubernetes.io/serviceaccount

When reading from a kube config file the following authentication methods are supported:

  • Client certificate

  • Token

  • Exec

  • OIDC

Warning

Support for the legacy auth-provider methods is not planned.

Tip

To find out which user kr8s is currently authenticated with you can call client.whoami().

print(client.whoami())
# 'kubernetes-admin'
print(await client.whoami())
# 'kubernetes-admin'

Manual configuration

You can also manually specify authentication information when you create your kr8s client object.

Note

When using the Object API you may not even need to create an API client, however when configuring credentials manually it can still be helpful to create an instance of the client via kr8s.api as this API client will be cached and reused by objects in the future.

See Client Caching for more information.

URL

Connecting directly to a URL assumes no authentication information is necessary. This is most useful when using with kubectl proxy which proxies the Kubernetes API on localhost without requiring authentication.

$ kubectl proxy
Starting to serve on 127.0.0.1:8001
import kr8s

client = kr8s.api(url="127.0.0.1:8001")
import kr8s.asyncio

client = await kr8s.asyncio.api(url="127.0.0.1:8001")

Kube Config

By default the first place kr8s will look for configuration is in ~/.kube/config. However you can point it anywhere else of the system if your configuration is stored at another location.

import kr8s

client = kr8s.api(kubeconfig="/path/to/kube/config")
import kr8s.asyncio

client = await kr8s.asyncio.api(kubeconfig="/path/to/kube/config")

Context

If you have multiple contexts in your config and you do not want to use the default or currently selected one you can set this explicitly.

import kr8s

client = kr8s.api(context="foo-context")
import kr8s.asyncio

client = await kr8s.asyncio.api(context="foo-context")

Service Account

When running inside a Pod with a service account, credentials will be mounted into /var/run/secrets/kubernetes.io/serviceaccount so kr8s will also check there. However you can specify an alternate path if you know that service account style credentials are stored elsewhere.

import kr8s

client = kr8s.api(serviceaccount="/path/to/kube/config")
import kr8s.asyncio

client = await kr8s.asyncio.api(serviceaccount="/path/to/kube/config")