Skip to content

echonet: pin kubernetes client below v36 to fix in-cluster auth#14197

Merged
ron-starkware merged 1 commit into
mainfrom
ron/echonet-pin-kubernetes-client-below-36
May 26, 2026
Merged

echonet: pin kubernetes client below v36 to fix in-cluster auth#14197
ron-starkware merged 1 commit into
mainfrom
ron/echonet-pin-kubernetes-client-below-36

Conversation

@ron-starkware
Copy link
Copy Markdown
Contributor

@ron-starkware ron-starkware commented May 26, 2026

v36.0.0 of the kubernetes Python client stores the in-cluster token under api_key["authorization"] while auth_settings() now reads api_key["BearerToken"], so no Authorization header is sent and the API server rejects requests as system:anonymous.

@ron-starkware @claude
echonet: pin kubernetes client below v36 to fix in-cluster auth
45bb99b 
v36.0.0 of the kubernetes Python client stores the in-cluster token
under api_key["authorization"] while auth_settings() now reads
api_key["BearerToken"], so no Authorization header is sent and the
API server rejects requests as system:anonymous.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@ron-starkware ron-starkware self-assigned this May 26, 2026
@cursor
Copy link
Copy Markdown

cursor Bot commented May 26, 2026
edited
Loading

PR Summary

Low Risk
Single-line dependency constraint in deployment startup; restores expected in-cluster RBAC behavior with no application logic changes.

Overview
The echonet container startup pip install now pins the Python kubernetes client to versions below 36 ('kubernetes<36') instead of installing the latest release.

This avoids kubernetes 36.0.0, where in-cluster token storage and auth_settings() no longer align, so the API client can omit the Authorization header and the cluster sees system:anonymous instead of the pod service account.

Reviewed by Cursor Bugbot for commit 45bb99b. Bugbot is set up for automated code reviews on this repo. Configure here.

@reviewable-StarkWare
Copy link
Copy Markdown

reviewable-StarkWare commented May 26, 2026

This change is Reviewable

matanl-starkware
matanl-starkware approved these changes May 26, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@matanl-starkware matanl-starkware left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@matanl-starkware reviewed 1 file and all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved (waiting on ron-starkware).

@ron-starkware ron-starkware added this pull request to the merge queue May 26, 2026
Merged via the queue into main with commit 435cc58 May 26, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matanl-starkware matanl-starkware matanl-starkware approved these changes

Assignees

@ron-starkware ron-starkware

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ron-starkware @reviewable-StarkWare @matanl-starkware