Description
Issue Description
After upgrading from @kubernetes/client-node 0.22.3 to 1.2.0 in a VS Code extension, all API calls are being sent without authentication headers. As a result, requests are processed as system:anonymous and fail with 403 Forbidden errors. The exact same code works correctly with version 0.22.3.
Reproduction
-
Create a minimal VS Code extension that:
- Loads the user’s kubeconfig using
KubeConfig.loadFromDefault() - Creates an API client with
kc.makeApiClient(k8s.CoreV1Api) - Makes a simple call to
listNamespace()
- Loads the user’s kubeconfig using
-
Run the extension against a cluster where the kubeconfig user has permission to list namespaces.
Behavior:
-
0.22.3: Returns the list of namespaces as expected.
-
1.2.0: Server responds with:
{ "message": "namespaces is forbidden: User \"system:anonymous\" cannot list resource \"namespaces\" in API group \"\" at the cluster scope" }
Debugging Steps Taken
- Verified the kubeconfig is loaded correctly via logs (context, cluster, user information present).
- Sanitized and printed the exported config to confirm credentials are present.
- Added debug middleware to log HTTP requests, confirming requests are sent to the correct server but without authentication headers.
- Tested both direct API client creation and using the
makeApiClient()method. - Confirmed that rolling back to 0.22.3 with identical code resolves the issue.
Environment
-
TypeScript: 5.8.3
-
ts-loader: 9.5.2
-
VS Code Extension: Bundled with Webpack
-
Node.js: v22.16.0
-
tsconfig.json: Targets ES6 modules with
esModuleInteropenabled -
Webpack config:
module.exports = { target: 'node', entry: './src/extension.ts', output: { path: path.resolve(__dirname, 'dist'), filename: 'extension.js', libraryTarget: 'commonjs2', devtoolModuleFilenameTemplate: '../[resource-path]' }, devtool: 'source-map', externals: { vscode: 'commonjs vscode', bufferutil: 'commonjs bufferutil', 'utf-8-validate': 'commonjs utf-8-validate' }, plugins: [ new webpack.IgnorePlugin({ resourceRegExp: /^electron$/ }) ], resolve: { extensions: ['.ts', '.js', '.json'] }, module: { rules: [ { test: /\.ts$/, exclude: /node_modules/, use: 'ts-loader' } ] }, node: { __dirname: false } };
Question
Is there a breaking change in the authentication handling between versions 0.22.3 and 1.2.0 that requires additional configuration when used in a webpack-bundled VS Code extension? How can I ensure the client includes authentication headers in requests?
Relevant Code
import * as vscode from 'vscode';
import * as k8s from '@kubernetes/client-node';
export function activate(context: vscode.ExtensionContext) {
const cmd = vscode.commands.registerCommand('minimal-k8s.listNamespaces', async () => {
// Load kubeconfig (from KUBECONFIG or ~/.kube/config)
const kc = new k8s.KubeConfig();
kc.loadFromDefault();
// Create CoreV1 API client
const api = kc.makeApiClient(k8s.CoreV1Api);
// List namespaces
try {
const res = await api.listNamespace();
const names = res.body.items.map(ns => ns.metadata?.name).filter(Boolean) as string[];
vscode.window.showInformationMessage(`Namespaces: ${names.join(', ')}`);
} catch (err: any) {
vscode.window.showErrorMessage(`Failed to list namespaces: ${err.message}`);
}
});
context.subscriptions.push(cmd);
}
export function deactivate() {}