Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Getting "x509: certificate signed by unknown authority" even with "--insecure-skip-tls-verify" option in Kubernetes

Tags:

kubernetes

I have a private Docker image registry running on a Linux VM (10.78.0.228:5000) and a Kubernetes master running on a different VM running Centos Linux 7.

I used the below command to create a POD:
kubectl create --insecure-skip-tls-verify -f monitorms-rc.yml

I get this:

sample monitorms-mmqhm 0/1 ImagePullBackOff 0 8m

and upon running: kubectl describe pod monitorms-mmqhm --namespace=sample

Warning Failed Failed to pull image "10.78.0.228:5000/monitorms": Error response from daemon: {"message":"Get https://10.78.0.228:5000/v1/_ping: x509: certificate signed by unknown authority"}

Isn't Kubernetes supposed to ignore the server certificate for all operations during POD creation when the --insecure-skip-tls-verify is passed?

If not, how do I make it ignore the tls verification while pulling the docker image?

PS:

Kubernetes version :

Client Version: v1.5.2 Server Version: v1.5.2

I have raised this issue here: https://github.com/kubernetes/kubernetes/issues/43924

like image 783
Rushil Paul Avatar asked Mar 31 '17 22:03

Rushil Paul


People also ask

How do I fix x509 certificate signed by unknown authority?

How to resolve Docker x509: certificate signed by unknown authority error. In order to resolve this error, we have to import the CA certificate in use by the ICP into the system keystore. Then, we have to restart the Docker client for the changes to take effect.

How do I bypass TLS verification?

Experienced users generally look for –no-check-certificate option which is provided for wget to skip SSL/TLS certification checks. The curl command provides the -k or –insecure options in order to prevent the SSL/TLS certificate check and skip the SSL/TLS warnings and errors.


1 Answers

The issue you're seeing is actually a docker issue. Using --insecure-skip-tls-verify is a valid arg to kubectl, but it only deals with the connecition between kubectl and the kubernetes API server. The error you're seeing is actually because the docker daemon cannot login to the private registry because the cert it's using in unsigned.

Have a look at the Docker insecure registry docs and this should solve your problem.

like image 162
jaxxstorm Avatar answered Sep 18 '22 18:09

jaxxstorm