How to Pass Authorization Bearer Token in Websocket API

Question

I'm trying to exec kubernetes pod using the Websocket, as per the kubernetes document it can be achieved through passing the Bearer THETOKEN

When using bearer token authentication from an http client, the API server expects an Authorization header with a value of Bearer THETOKEN

Here is the sample for wscat passing Header Value --header "Authorization: Bearer $TOKEN" to establish exec to pod and the connection went successfully

/ # wscat  --header "Authorization: Bearer $TOKEN"  -c "wss://api.0cloud0.com/api/v1/namespaces/ba410a7474380169a5ae230d8e784535/pods/txaclqhshg
-6f69577c74-jxbwn/exec?stdin=1&stdout=1&stderr=1&tty=1&command=sh"

But when it comes to Websocket API connection from web browser

How to pass this Beaer Token in the web Socket as per the doc there is no standard way to pass custom header

Tried URI Query Parameter access_token= Bearer TOKEN in the API query it doesn't work and the Authentication denied with 403

wss://api.0cloud0.com/api/v1/namespaces/ba410a7474380169a5ae230d8e784535/pods/txaclqhshg-%206f69577c74-jxbwn/exec?stdout=1&stdin=1&stderr=1&tty=1&command=%2Fbin%2Fsh&command=-i&access_token=$TOKEN

Answer 1

I never used websocket with kubernetes before, but here is the documentation about the token authentication method for websocket browser clients https://github.com/kubernetes/kubernetes/pull/47740

You must to send token in subprotocol parameter with the token encoded in base64.

So it should be:

wscat  -s "base64url.bearer.authorization.k8s.io.$TOKEN_IN_BASE64","base64.binary.k8s.io" -c "wss://api.0cloud0.com/api/v1/namespaces/ba410a7474380169a5ae230d8e784535/pods/txaclqhshg
-6f69577c74-jxbwn/exec?stdin=1&stdout=1&stderr=1&tty=1&command=sh"