kOps 1.19 reports error "Unauthorized" when interfacing with AWS cluster

As of kOps 1.19 there are two reasons you will suddenly get this error:

1. If you delete a cluster and reprovision it, your old admin is not removed from the kubeconfig and kOps/kubectl tries to reuse it.
2. New certificates have a TTL of 18h by default, so you need to reprovision them about once a day.

Both issues above are fixed by running kops export kubecfg --admin.

Note that using the default TLS credentials is discouraged. Consider things like using an OIDC provider instead.

Kubernetes v1.19 removed basic auth support, incidentally making the default kOps credentials unable to authorize. To work around this, we will update our cluster to use a Network Load Balancer (NLB) instead of the default Classic Load Balancer (CLB). The NLB can be accessed with non-deprecated AuthZ mechanisms.

After creating your cluster, but before updating cloud resources (before running with --yes), edit its configuration to use a NLB:

kops edit cluster

Then update your load balancer class to Network:

spec:  api:    loadBalancer:      class: Network

Now update cloud resources with

kops update cluster --yes

And you'll be able to pass AuthZ with kOps on your cluster.

Note that there are several other advantages to using an NLB as well, check the AWS docs for a comparison.

If you have a pre-existing cluster you want to update to a NLB, there are more steps to follow to ensure clients don't start failing AuthZ, to delete old resources, etc. You'll find a better guide for that in the kOps v1.19 release notes.