Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🌐 Web query:
Python kubernetes client 36.0.1 release notes: were there breaking changes to kubernetes.config.load_incluster_config, kubernetes.config.load_kube_config, kubernetes.client.CoreV1Api, or kubernetes.client.rest.ApiException/status compared with 31.0.0?💡 Result:
There were breaking auth-related changes/regressions in kubernetes Python client v36.0.0 (the release line that includes 36.0.1) compared with v31.0.0, affecting: 1) kubernetes.config.load_incluster_config Yes. In v36, load_incluster_config writes the service-account token into Configuration.api_key['authorization'], but Configuration.auth_settings/auto-generated auth code expects the token in api_key['BearerToken'] (so Authorization headers are not sent). This manifests as 401 Unauthorized/system:anonymous responses after upgrading from v35 to v36. [1][2][3] 2) kubernetes.config.load_kube_config Likely yes (paired regression). An issue notes the same loader-side mismatch for load_kube_config (kube_config.py writes the old key shape) causing BearerToken-authed requests to go anonymous in v36. [2] 3) kubernetes.client.CoreV1Api Not a direct client-API breaking change by itself. CoreV1Api is just an API class; the breakage reported occurs when making calls via CoreV1Api after load_incluster_config/load_kube_config in v36, due to the auth/header mismatch. [1][3] 4) kubernetes.client.rest.ApiException / status No explicit breaking change to ApiException itself or a status field was identified in the sources returned. The reported failures are HTTP-level 401/403 responses triggered by missing/incorrect Authorization headers, which then surface via exceptions. [1][3] What you should do if upgrading to 36.x - If you rely on load_incluster_config/load_kube_config, treat v36 as having a breaking auth regression unless you apply the upstream fix or pin to <36.0.0 as suggested in the issues. [2] Confidence: Medium (high confidence about load_incluster_config/load_kube_config auth token key mismatch; lower confidence about ApiException/status because the returned sources didn’t show a concrete change log item for those symbols).
Citations:
Configuration.auth_settings()returns empty dict in v36.0.0 - all BearerToken-authed requests go anonymous kubernetes-client/python#2582Kubernetes v36.0.1 client upgrade breaks auth loader—pin or apply workaround before merge.
Dockerfilepinskubernetes==36.0.1. The kubernetes Python client has a known breaking auth regression in the v36.0.0+/36.0.1 release line:load_incluster_config(and likelyload_kube_config) writes the service-account token toConfiguration.api_key['authorization'], while the generated auth code expectsConfiguration.api_key['BearerToken'], resulting in missing Authorization headers (e.g., 401system:anonymous) onCoreV1Apicalls.Action: pin
kubernetesto<36.0.0or apply the upstream fix/workaround soBearerTokenis populated before creating/usingCoreV1Api.🤖 Prompt for AI Agents