Menu
I am configuring a Kubernetes cluster with 2 nodes in CoreOS as described in https://coreos.com/kubernetes/docs/latest/getting-started.html without flannel. Both servers are in the same network.
But I am getting: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-ca") while running kubelet in worker.
I configured the TLS certificates properly on both the servers as discussed in the doc.
The master node is working fine. And the kubectl is able to fire containers and pods in master.
Question 1: How to fix this problem?
Question 2: Is there any way to configure a cluster without TLS certificates?
Coreos version: VERSION=899.15.0 VERSION_ID=899.15.0 BUILD_ID=2016-04-05-1035 PRETTY_NAME="CoreOS 899.15.0" Etcd conf:
$ etcdctl member list ce2a822cea30bfca: name=78c2c701d4364a8197d3f6ecd04a1d8f peerURLs=http://localhost:2380,http://localhost:7001 clientURLs=http://172.24.0.67:2379 Master: kubelet.service:
[Service] ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests Environment=KUBELET_VERSION=v1.2.2_coreos.0 ExecStart=/opt/bin/kubelet-wrapper \ --api-servers=http://127.0.0.1:8080 \ --register-schedulable=false \ --allow-privileged=true \ --config=/etc/kubernetes/manifests \ --hostname-override=172.24.0.67 \ --cluster-dns=10.3.0.10 \ --cluster-domain=cluster.local Restart=always RestartSec=10 [Install] WantedBy=multi-user.target Master: kube-controller.yaml
apiVersion: v1 kind: Pod metadata: name: kube-controller-manager namespace: kube-system spec: hostNetwork: true containers: - name: kube-controller-manager image: quay.io/coreos/hyperkube:v1.2.2_coreos.0 command: - /hyperkube - controller-manager - --master=http://127.0.0.1:8080 - --leader-elect=true - --service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem - --root-ca-file=/etc/kubernetes/ssl/ca.pem livenessProbe: httpGet: host: 127.0.0.1 path: /healthz port: 10252 initialDelaySeconds: 15 timeoutSeconds: 1 volumeMounts: - mountPath: /etc/kubernetes/ssl name: ssl-certs-kubernetes readOnly: true - mountPath: /etc/ssl/certs name: ssl-certs-host readOnly: true volumes: - hostPath: path: /etc/kubernetes/ssl name: ssl-certs-kubernetes - hostPath: path: /usr/share/ca-certificates name: ssl-certs-host Master: kube-proxy.yaml
apiVersion: v1 kind: Pod metadata: name: kube-proxy namespace: kube-system spec: hostNetwork: true containers: - name: kube-proxy image: quay.io/coreos/hyperkube:v1.2.2_coreos.0 command: - /hyperkube - proxy - --master=http://127.0.0.1:8080 securityContext: privileged: true volumeMounts: - mountPath: /etc/ssl/certs name: ssl-certs-host readOnly: true volumes: - hostPath: path: /usr/share/ca-certificates name: ssl-certs-host Master: kube-apiserver.yaml
apiVersion: v1 kind: Pod metadata: name: kube-apiserver namespace: kube-system spec: hostNetwork: true containers: - name: kube-apiserver image: quay.io/coreos/hyperkube:v1.2.2_coreos.0 command: - /hyperkube - apiserver - --bind-address=0.0.0.0 - --etcd-servers=http://172.24.0.67:2379 - --allow-privileged=true - --service-cluster-ip-range=10.3.0.0/24 - --secure-port=443 - --advertise-address=172.24.0.67 - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem - --client-ca-file=/etc/kubernetes/ssl/ca.pem - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem ports: - containerPort: 443 hostPort: 443 name: https - containerPort: 8080 hostPort: 8080 name: local volumeMounts: - mountPath: /etc/kubernetes/ssl name: ssl-certs-kubernetes readOnly: true - mountPath: /etc/ssl/certs name: ssl-certs-host readOnly: true volumes: - hostPath: path: /etc/kubernetes/ssl name: ssl-certs-kubernetes - hostPath: path: /usr/share/ca-certificates name: ssl-certs-host Master: kube-scheduler.yaml
apiVersion: v1 kind: Pod metadata: name: kube-scheduler namespace: kube-system spec: hostNetwork: true containers: - name: kube-scheduler image: quay.io/coreos/hyperkube:v1.2.2_coreos.0 command: - /hyperkube - scheduler - --master=http://127.0.0.1:8080 - --leader-elect=true livenessProbe: httpGet: host: 127.0.0.1 path: /healthz port: 10251 initialDelaySeconds: 15 timeoutSeconds: 1 Slave: kubelet.service
[Service] ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests Environment=KUBELET_VERSION=v1.2.2_coreos.0 ExecStart=/opt/bin/kubelet-wrapper \ --api-servers=https://172.24.0.67:443 \ --register-node=true \ --allow-privileged=true \ --config=/etc/kubernetes/manifests \ --hostname-override=172.24.0.63 \ --cluster-dns=10.3.0.10 \ --cluster-domain=cluster.local \ --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml \ --tls-cert-file=/etc/kubernetes/ssl/worker.pem \ --tls-private-key-file=/etc/kubernetes/ssl/worker-key.pem Restart=always RestartSec=10 [Install] WantedBy=multi-user.target Slave: kube-proxy.yaml
apiVersion: v1 kind: Pod metadata: name: kube-proxy namespace: kube-system spec: hostNetwork: true containers: - name: kube-proxy image: quay.io/coreos/hyperkube:v1.2.2_coreos.0 command: - /hyperkube - proxy - --master=https://172.24.0.67:443 - --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml - --proxy-mode=iptables securityContext: privileged: true volumeMounts: - mountPath: /etc/ssl/certs name: "ssl-certs" - mountPath: /etc/kubernetes/worker-kubeconfig.yaml name: "kubeconfig" readOnly: true - mountPath: /etc/kubernetes/ssl name: "etc-kube-ssl" readOnly: true volumes: - name: "ssl-certs" hostPath: path: "/usr/share/ca-certificates" - name: "kubeconfig" hostPath: path: "/etc/kubernetes/worker-kubeconfig.yaml" - name: "etc-kube-ssl" hostPath: path: "/etc/kubernetes/ssl" 
335
How to resolve Docker x509: certificate signed by unknown authority error. In order to resolve this error, we have to import the CA certificate in use by the ICP into the system keystore. Then, we have to restart the Docker client for the changes to take effect.
Kubernetes provides a certificates.k8s.io API, which lets you provision TLS certificates signed by a Certificate Authority (CA) that you control. These CA and certificates can be used by your workloads to establish trust.
Utilize the command “kubectl config set-context my-context —cluster=my-app —namespace=production” to configure per-context parameters. This approach will build a new context named my-context with default Kubernetes cluster and namespace parameters.
mkdir -p $HOME/.kube sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config sudo chown $(id -u):$(id -g) $HOME/.kube/config If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
