Authentication failed — missing or invalid token
Production Risk
Automated pipelines and operators using expired credentials will fail all API calls.
A 401 Unauthorized response from the Kubernetes API server means the request could not be authenticated. The server could not identify who is making the request. This is different from 403 Forbidden (authenticated but not authorised). Common causes include expired kubeconfig credentials, an invalid bearer token, or a missing service account token.
- 1kubeconfig contains an expired or revoked token or certificate
- 2Bearer token in the Authorization header is malformed or missing
- 3Service account token has been rotated but the pod is using a stale mounted token
- 4Client certificate CN does not match an expected user identity
kubectl commands return "Unauthorized" or in-cluster API calls return HTTP 401.
kubectl get pods # error: You must be logged in to the server (Unauthorized) # Check current kubeconfig context kubectl config current-context kubectl auth whoami
expected output
error: You must be logged in to the server (Unauthorized)
Fix 1
Refresh kubeconfig credentials
WHEN Using cloud-managed cluster (GKE, EKS, AKS)
# GKE gcloud container clusters get-credentials <cluster-name> --region <region> # EKS aws eks update-kubeconfig --name <cluster-name> --region <region> # AKS az aks get-credentials --resource-group <rg> --name <cluster-name>
Why this works
Re-fetches fresh cluster credentials and updates the kubeconfig with a valid token.
Fix 2
Verify the current context and user
WHEN Wrong kubeconfig context may be active
kubectl config get-contexts kubectl config use-context <correct-context> kubectl auth whoami
Why this works
Ensures the active context points to the correct cluster with valid credentials.
Kubernetes Documentation
Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev