Kubectl with Cloudflare Access procedure doesn't work

Feedback Usage & Design
1

Hi dear community,
I’ve just tried the procedure outlined here https://developers.cloudflare.com/access/other-protocols/kubectl/ to get my K8S cluster working with Cloudflare access.

I found out that the when the first command run and a web page is opened to get the token the procedure doesn’t work:

> cloudflared tunnel --hostname k8s-dev.test.net --url tcp://my.kubernetes.ip:443 --socks5=true 
...
....

> cloudflared access tcp --hostname k8s-dev.test.net --url 127.0.0.1:9999
INFO[0000] Start Websocket listener on: 127.0.0.1:9999  


> alias kubeone="env  HTTPS_PROXY=socks5://127.0.0.1:9999 kubectl"
> kubeone get ns

Failed to connect to proxy URL: "http://socks5://127.0.0.1:9999"

Failed to connect to proxy URL: "http://socks5://127.0.0.1:9999"

Failed to connect to proxy URL: "http://socks5://127.0.0.1:9999"

Failed to connect to proxy URL: "http://socks5://127.0.0.1:9999"

Failed to connect to proxy URL: "http://socks5://127.0.0.1:9999"
Unable to connect to the server: getting credentials: exec: exit status 255

But I I redo the same things with the last alias changed with HTTP_PROXY:

> cloudflared tunnel --hostname k8s-dev.test.net --url tcp://my.kubernetes.ip:443 --socks5=true 
...
....

> cloudflared access tcp --hostname k8s-dev.test.net --url 127.0.0.1:9999
INFO[0000] Start Websocket listener on: 127.0.0.1:9999  
A browser window should have opened at the following URL:

https://k8s-dev.test.net/cdn-cgi/access/cli?redirect_url=........

If the browser failed to open, please visit the URL above directly in your browser.



> alias kubeone="env  HTTP_PROXY=socks5://127.0.0.1:9999 kubectl"
> kubeone get ns
NAME              STATUS   AGE
default           Active   19h
...

At this point I can change the alias back to HTTPS_PROXY and everything will work as expected. Something is going weird with the proxy and the authentication phase.
Please can advise on it?
Best Regards

2

In my case using EKS, the problem was that the .kube/config was configured to call aws eks get-token and this command doesn’t work with HTTPS_PROXY set. The quick fix was to set the variable to nothing in the .kube/config and it seems to still work with the kubeone alias:

- name: arn:aws:eks:us-west-1:111111111111:cluster/test-cluster
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-west-1
      - eks
      - get-token
      - --cluster-name
      - test-cluster
      command: aws
      env:
      - name: AWS_PROFILE
        value: my-profile
      - name: HTTPS_PROXY
        value: ""
1 Like