From f5b3491d7f603e8783201819a5e3cc6aad7bcf0e Mon Sep 17 00:00:00 2001
From: zryfish <jeffzhang@yunify.com>
Date: Thu, 27 Aug 2020 22:51:00 +0800
Subject: [PATCH] fix unauthorized if using token kubeconfig (#2930)

Signed-off-by: Jeff <jeffzhang@yunify.com>
---
 pkg/apiserver/dispatch/dispatch.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/apiserver/dispatch/dispatch.go b/pkg/apiserver/dispatch/dispatch.go
index e764ccdaa..ae7cdf59e 100644
--- a/pkg/apiserver/dispatch/dispatch.go
+++ b/pkg/apiserver/dispatch/dispatch.go
@@ -153,6 +153,12 @@ func (c *clusterDispatch) Dispatch(w http.ResponseWriter, req *http.Request, han
 		// req.Header['Authorization'] before authentication.
 		req.Header.Set("X-KubeSphere-Authorization", req.Header.Get("Authorization"))
 
+		// If cluster kubeconfig using token authentication, transport will not override authorization header,
+		// this will cause requests reject by kube-apiserver since kubesphere authorization header is not
+		// acceptable. Delete this header is safe since we are using X-KubeSphere-Authorization.
+		// https://github.com/kubernetes/client-go/blob/master/transport/round_trippers.go#L285
+		req.Header.Del("Authorization")
+
 		// Dirty trick again. The kube-apiserver apiserver proxy rejects all proxy requests with dryRun parameter
 		// https://github.com/kubernetes/kubernetes/pull/66083
 		// Really don't understand why they do this. And here we are, bypass with replacing 'dryRun'