Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

x509 certificate signed by unknown authority- Kubernetes

Tags:

I am configuring a Kubernetes cluster with 2 nodes in CoreOS as described in https://coreos.com/kubernetes/docs/latest/getting-started.html without flannel. Both servers are in the same network.

But I am getting: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kube-ca") while running kubelet in worker.

I configured the TLS certificates properly on both the servers as discussed in the doc.

The master node is working fine. And the kubectl is able to fire containers and pods in master.

Question 1: How to fix this problem?

Question 2: Is there any way to configure a cluster without TLS certificates?

Coreos version: VERSION=899.15.0 VERSION_ID=899.15.0 BUILD_ID=2016-04-05-1035 PRETTY_NAME="CoreOS 899.15.0"

Etcd conf:

 $ etcdctl member list           ce2a822cea30bfca: name=78c2c701d4364a8197d3f6ecd04a1d8f peerURLs=http://localhost:2380,http://localhost:7001 clientURLs=http://172.24.0.67:2379

Master: kubelet.service:

[Service] ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests Environment=KUBELET_VERSION=v1.2.2_coreos.0 ExecStart=/opt/bin/kubelet-wrapper \   --api-servers=http://127.0.0.1:8080 \   --register-schedulable=false \   --allow-privileged=true \   --config=/etc/kubernetes/manifests \   --hostname-override=172.24.0.67 \   --cluster-dns=10.3.0.10 \   --cluster-domain=cluster.local Restart=always RestartSec=10 [Install] WantedBy=multi-user.target

Master: kube-controller.yaml

apiVersion: v1 kind: Pod metadata:   name: kube-controller-manager   namespace: kube-system spec:   hostNetwork: true   containers:   - name: kube-controller-manager     image: quay.io/coreos/hyperkube:v1.2.2_coreos.0     command:     - /hyperkube     - controller-manager     - --master=http://127.0.0.1:8080     - --leader-elect=true      - --service-account-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem     - --root-ca-file=/etc/kubernetes/ssl/ca.pem     livenessProbe:       httpGet:         host: 127.0.0.1         path: /healthz         port: 10252       initialDelaySeconds: 15       timeoutSeconds: 1     volumeMounts:     - mountPath: /etc/kubernetes/ssl       name: ssl-certs-kubernetes       readOnly: true     - mountPath: /etc/ssl/certs       name: ssl-certs-host       readOnly: true   volumes:   - hostPath:       path: /etc/kubernetes/ssl     name: ssl-certs-kubernetes   - hostPath:       path: /usr/share/ca-certificates     name: ssl-certs-host

Master: kube-proxy.yaml

apiVersion: v1 kind: Pod metadata:   name: kube-proxy   namespace: kube-system spec:   hostNetwork: true   containers:   - name: kube-proxy     image: quay.io/coreos/hyperkube:v1.2.2_coreos.0     command:     - /hyperkube     - proxy     - --master=http://127.0.0.1:8080     securityContext:       privileged: true     volumeMounts:     - mountPath: /etc/ssl/certs       name: ssl-certs-host       readOnly: true   volumes:   - hostPath:       path: /usr/share/ca-certificates     name: ssl-certs-host

Master: kube-apiserver.yaml

apiVersion: v1 kind: Pod metadata:   name: kube-apiserver   namespace: kube-system spec:   hostNetwork: true   containers:   - name: kube-apiserver     image: quay.io/coreos/hyperkube:v1.2.2_coreos.0     command:     - /hyperkube     - apiserver     - --bind-address=0.0.0.0     - --etcd-servers=http://172.24.0.67:2379     - --allow-privileged=true     - --service-cluster-ip-range=10.3.0.0/24     - --secure-port=443     - --advertise-address=172.24.0.67     - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota     - --tls-cert-file=/etc/kubernetes/ssl/apiserver.pem     - --tls-private-key-file=/etc/kubernetes/ssl/apiserver-key.pem     - --client-ca-file=/etc/kubernetes/ssl/ca.pem     - --service-account-key-file=/etc/kubernetes/ssl/apiserver-key.pem     ports:     - containerPort: 443       hostPort: 443       name: https     - containerPort: 8080       hostPort: 8080       name: local     volumeMounts:     - mountPath: /etc/kubernetes/ssl       name: ssl-certs-kubernetes       readOnly: true     - mountPath: /etc/ssl/certs       name: ssl-certs-host       readOnly: true   volumes:   - hostPath:       path: /etc/kubernetes/ssl     name: ssl-certs-kubernetes   - hostPath:       path: /usr/share/ca-certificates     name: ssl-certs-host

Master: kube-scheduler.yaml

apiVersion: v1 kind: Pod metadata:   name: kube-scheduler   namespace: kube-system spec:   hostNetwork: true   containers:   - name: kube-scheduler     image: quay.io/coreos/hyperkube:v1.2.2_coreos.0     command:     - /hyperkube     - scheduler     - --master=http://127.0.0.1:8080     - --leader-elect=true     livenessProbe:       httpGet:         host: 127.0.0.1         path: /healthz         port: 10251       initialDelaySeconds: 15       timeoutSeconds: 1

Slave: kubelet.service

[Service] ExecStartPre=/usr/bin/mkdir -p /etc/kubernetes/manifests  Environment=KUBELET_VERSION=v1.2.2_coreos.0  ExecStart=/opt/bin/kubelet-wrapper \   --api-servers=https://172.24.0.67:443 \   --register-node=true \   --allow-privileged=true \   --config=/etc/kubernetes/manifests \   --hostname-override=172.24.0.63 \   --cluster-dns=10.3.0.10 \   --cluster-domain=cluster.local \   --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml \   --tls-cert-file=/etc/kubernetes/ssl/worker.pem \   --tls-private-key-file=/etc/kubernetes/ssl/worker-key.pem Restart=always RestartSec=10 [Install] WantedBy=multi-user.target

Slave: kube-proxy.yaml

apiVersion: v1 kind: Pod metadata:   name: kube-proxy   namespace: kube-system spec:   hostNetwork: true   containers:   - name: kube-proxy     image: quay.io/coreos/hyperkube:v1.2.2_coreos.0     command:     - /hyperkube     - proxy     - --master=https://172.24.0.67:443     - --kubeconfig=/etc/kubernetes/worker-kubeconfig.yaml     - --proxy-mode=iptables     securityContext:       privileged: true     volumeMounts:       - mountPath: /etc/ssl/certs         name: "ssl-certs"       - mountPath: /etc/kubernetes/worker-kubeconfig.yaml         name: "kubeconfig"         readOnly: true       - mountPath: /etc/kubernetes/ssl         name: "etc-kube-ssl"         readOnly: true   volumes:     - name: "ssl-certs"       hostPath:         path: "/usr/share/ca-certificates"     - name: "kubeconfig"       hostPath:         path: "/etc/kubernetes/worker-kubeconfig.yaml"     - name: "etc-kube-ssl"       hostPath:         path: "/etc/kubernetes/ssl"
like image 335
Nakshatra Avatar asked Apr 29 '16 13:04

Nakshatra

People also ask

How do I fix x509 certificate signed by unknown authority?

How to resolve Docker x509: certificate signed by unknown authority error. In order to resolve this error, we have to import the CA certificate in use by the ICP into the system keystore. Then, we have to restart the Docker client for the changes to take effect.

What is Kubernetes certificate authority?

Kubernetes provides a certificates.k8s.io API, which lets you provision TLS certificates signed by a Certificate Authority (CA) that you control. These CA and certificates can be used by your workloads to establish trust.

How do I change the context in Kubernetes?

Utilize the command “kubectl config set-context my-context —cluster=my-app —namespace=production” to configure per-context parameters. This approach will build a new context named my-context with default Kubernetes cluster and namespace parameters.

1 Answers

mkdir -p $HOME/.kube    sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config    sudo chown $(id -u):$(id -g) $HOME/.kube/config
like image 85
yasin lachini Avatar answered Sep 20 '22 11:09

yasin lachini
Sign in to Comment

Related questions

Is there a way to run EF Core RC2 tools from published DLL?
How to use MinGW-64 with Qt Creator
Return a new string that sorts between two given strings
FirebaseApp name [DEFAULT] already exists
How can I add an assembly binding redirect to a .net core unit test project?
Pop up blocker API- how to check if user has it enabled [duplicate]
UIScrollView Zooming & contentInset
What makes NSCalendarsUsageDescription required?
Python How to detect vertical and horizontal lines in an image with HoughLines with OpenCV?
Artifactory upload with checksum
save PSCredential in the file
Azure Functions - using appsettings.json

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!