If you use kubectl get pod foo -v10 you see a curl line, but this does not work.
Example:
guettli@p15:~$ curl -k -v -XGET -H "Accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json" -H "User-Agent: kubectl/v1.23.4 (linux/amd64) kubernetes/e6c093d" 'https://127.0.0.1:44529/api/v1/namespaces/default/pods/busybox'
- Trying 127.0.0.1:44529...
- Connected to 127.0.0.1 (127.0.0.1) port 44529 (#0)
- ALPN, offering h2
- ALPN, offering http/1.1
- successfully set certificate verify locations:
- CAfile: /etc/ssl/certs/ca-certificates.crt
- CApath: /etc/ssl/certs
- TLSv1.3 (OUT), TLS handshake, Client hello (1):
- TLSv1.3 (IN), TLS handshake, Server hello (2):
- TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
- TLSv1.3 (IN), TLS handshake, Request CERT (13):
- TLSv1.3 (IN), TLS handshake, Certificate (11):
- TLSv1.3 (IN), TLS handshake, CERT verify (15):
- TLSv1.3 (IN), TLS handshake, Finished (20):
- TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
- TLSv1.3 (OUT), TLS handshake, Certificate (11):
- TLSv1.3 (OUT), TLS handshake, Finished (20):
- SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
- ALPN, server accepted to use h2
- Server certificate:
- subject: CN=kube-apiserver
- start date: Feb 2 10:34:41 2022 GMT
- expire date: Feb 2 10:34:41 2023 GMT
- issuer: CN=kubernetes
- SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
- Using HTTP2, server supports multi-use
- Connection state changed (HTTP/2 confirmed)
- Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
- Using Stream ID: 1 (easy handle 0x55ef6413b5e0)
> GET /api/v1/namespaces/default/pods/busybox HTTP/2
> Host: 127.0.0.1:44529
> accept: application/json;as=Table;v=v1;g=meta.k8s.io,application/json;as=Table;v=v1beta1;g=meta.k8s.io,application/json
> user-agent: kubectl/v1.23.4 (linux/amd64) kubernetes/e6c093d
>
- TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
- Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 403
< cache-control: no-cache, private
< content-type: application/json
< x-content-type-options: nosniff
< x-kubernetes-pf-flowschema-uid: d45b0ee7-7e06-463e-b8d1-6ab74852b967
< x-kubernetes-pf-prioritylevel-uid: 3be84978-2771-4afe-972d-50dec7f8b951
< content-length: 289
< date: Mon, 21 Feb 2022 17:20:21 GMT
<
{"kind":"Status","apiVersion":"v1","metadata":{},
"status":"Failure",
"message":"pods "busybox" is forbidden: User "system:anonymous" cannot get resource "pods" in API group "" in the namespace "default"",
"reason":"Forbidden",
"details":{"name":"busybox","kind":"pods"},"code":403}
- Connection #0 to host 127.0.0.1 left intact
How can I use the client cert which in in .kube/config?
I use kind 0.11.1
