comments

sky/clouds/kubernetes.py

@@ -132,13 +132,20 @@ def _log_skipped_contexts_once(cls, skipped_contexts: Tuple[str,
     def _existing_allowed_contexts(cls) -> List[Optional[str]]:
         """Get existing allowed contexts.
 
-        If None is returned in the list, it means that the kubeconfig is not
-        found and we may be running in a pod with in-cluster auth. In this
-        case, we use None context that will use the available service account
-        mounted in the pod.
+        If None is returned in the list, it means that we are running in a pod
+        with in-cluster auth. In this case, we specify None context, which will
+        use the service account mounted in the pod.
         """
         all_contexts = kubernetes_utils.get_all_kube_config_context_names()
-        if all_contexts is None:
+        if len(all_contexts) == 0:
+            return []
+        if all_contexts == [None]:
+            # If only one context is found and it is None, we are running in a
+            # pod with in-cluster auth. In this case, we allow it to be used
+            # without checking against allowed_contexts.
+            # TODO(romilb): We may want check in-cluster auth against
+            #  allowed_contexts in the future by adding a special context name
+            #  for in-cluster auth.
             return [None]
         all_contexts = set(all_contexts)
 
@@ -565,9 +572,9 @@ def validate_region_zone(self, region: Optional[str], zone: Optional[str]):
             return region, zone
 
         all_contexts = kubernetes_utils.get_all_kube_config_context_names()
-        if all_contexts is None:
-            # If no context is returned, use the singleton region since we may
-            # be running in a pod with in-cluster auth.
+        if all_contexts == [None]:
+            # If [None] context is returned, use the singleton region since we
+            # are running in a pod with in-cluster auth.
             all_contexts = [kubernetes_utils.IN_CLUSTER_REGION]
         if region not in all_contexts:
             raise ValueError(

sky/provision/kubernetes/utils.py

@@ -820,23 +820,42 @@ def get_current_kube_config_context_name() -> Optional[str]:
     except k8s.config.config_exception.ConfigException:
         return None
 
+def is_incluster_config_available() -> bool:
+    """Check if in-cluster auth is available.
+
+    Note: We cannot use load_incluster_config() to check if in-cluster config
+    is available because it will load the in-cluster config (if available)
+    and modify the current global kubernetes config. We simply check if the
+    service account token file exists to determine if in-cluster config may
+    be available.
+    """
+    return os.path.exists('/var/run/secrets/kubernetes.io/serviceaccount/token')
+
 
-def get_all_kube_config_context_names() -> Optional[List[str]]:
+def get_all_kube_config_context_names() -> List[Optional[str]]:
     """Get all kubernetes context names from the kubeconfig file.
 
+    If running in-cluster, returns [None] to indicate in-cluster config.
+
     We should not cache the result of this function as the admin policy may
     update the contexts.
 
     Returns:
-        List[str] | None: The list of kubernetes context names if it exists,
-            None otherwise
+        List[Optional[str]]: The list of kubernetes context names if
+            available, an empty list otherwise. If running in-cluster,
+            returns [None] to indicate in-cluster config.
     """
     k8s = kubernetes.kubernetes
     try:
         all_contexts, _ = k8s.config.list_kube_config_contexts()
+        # all_contexts will always have at least one context. If kubeconfig
+        # does not have any contexts defined, it will raise ConfigException.
         return [context['name'] for context in all_contexts]
     except k8s.config.config_exception.ConfigException:
-        return None
+        # If running in cluster, return [None] to indicate in-cluster config
+        if is_incluster_config_available():
+            return [None]
+        return []
 
 
 @functools.lru_cache()