Accessing Kubelet API Microk8s

Question

I want to ask how to access Kubelet API from microk8s cluster.

I looked to this url and it says that Kubelet API requires client certificate. So I called this (from /var/snap/microk8s/current/certs) curl -v https://127.0.0.1:10250 --cert ca.crt --cert-type PEM --cacert ca.crt --key ca.key

But I got error saying: curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

How do I fix this issue? Also, what is the difference between kubelet.crt, server.crt, and ca.crt in microk8s?

Thank you!

Answer 1

Try this:

curl --verbose \
  --cert ./server.crt \
  --key ./server.key  \
  --insecure \
  https://127.0.0.1:10250/healthz

The CA cert in the certs directory is not the signer of the cert :10250 presents to the user. I don't know where the CA cert being presented comes from, it looks like it's rotated as the issuer is CN=<servername>-ca@1567568834 ( hence the --insecure).

The kube-apiserver command line will include the exact path to the kubelet client certs (or could also be stored in a config file in the new k8s world)

--kubelet-client-certificate --kubelet-client-key

$ pgrep -a kube-apiserver | perl -pe 's/ --/\n --/g'
22071 /snap/microk8s/1247/kube-apiserver
 --cert-dir=/var/snap/microk8s/1247/certs
 --service-cluster-ip-range=10.22.189.0/24
 --authorization-mode=RBAC,Node
 --basic-auth-file=/var/snap/microk8s/1247/credentials/basic_auth.csv
 --service-account-key-file=/var/snap/microk8s/1247/certs/serviceaccount.key
 --client-ca-file=/var/snap/microk8s/1247/certs/ca.crt
 --tls-cert-file=/var/snap/microk8s/1247/certs/server.crt
 --tls-private-key-file=/var/snap/microk8s/1247/certs/server.key
 --kubelet-client-certificate=/var/snap/microk8s/1247/certs/server.crt
 --kubelet-client-key=/var/snap/microk8s/1247/certs/server.key
 --secure-port=16443
 --token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
 --token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
 --etcd-servers=https://127.0.0.1:12379
 --etcd-cafile=/var/snap/microk8s/1247/certs/ca.crt
 --etcd-certfile=/var/snap/microk8s/1247/certs/server.crt
 --etcd-keyfile=/var/snap/microk8s/1247/certs/server.key
 --requestheader-client-ca-file=/var/snap/microk8s/1247/certs/front-proxy-ca.crt
 --requestheader-allowed-names=front-proxy-client
 --requestheader-extra-headers-prefix=X-Remote-Extra-
 --requestheader-group-headers=X-Remote-Group
 --requestheader-username-headers=X-Remote-User
 --proxy-client-cert-file=/var/snap/microk8s/1247/certs/front-proxy-client.crt
 --proxy-client-key-file=/var/snap/microk8s/1247/certs/front-proxy-client.key