K
Q

why kubelet communicate with apiserver by using TLS needs password?v1.3

7/26/2016

I deployed apiserver using TLS on master node and it worked fine,my question appeared when I deploying the kubelet and tring to communicate with apiserver. the kubelet conf as follows:

/opt/bin/kubelet \
  --logtostderr=true \
  --v=0 \
  --api_servers=https://kube-master:6443 \
  --address=0.0.0.0 \
  --port=10250 \
  --allow-privileged=false \
  --tls-cert-file="/var/run/kubernetes/kubelet_client.crt" \
  --tls-private-key-file="/var/run/kubernetes/kubelet_client.key"
  --kubeconfig="/var/lib/kubelet/kubeconfig"

/var/lib/kubelet/kubeconfig is following:

apiVersion: v1
kind: Config
users:
- name: kubelet
  user:
    client-certificate: /var/run/kubernetes/kubelet_client.crt
    client-key: /var/run/kubernetes/kubelet_client.key
clusters:
- name: kube-cluster
  cluster:
    certificate-authority: /var/run/kubernetes/ca.crt
contexts:
- context:
    cluster: kube-cluster
    user: kubelet
  name: ctx-kube-system
current-context: ctx-kube-system

As I want to achieve the comunication using a two-way(both client and server)CA authentication and expect for a fluky reply,but apiserver ask me to provide my username and password which I have never used before,some command lines as following:

> kubectl version
> Client Version: version.Info{Major:"1", Minor:"3", GitVersion:"v1.3.2", GitCommit:"9bafa3400a77c14ee50782bb05f9efc5c91b3185", GitTreeState:"clean", BuildDate:"2016-07-17T18:30:39Z", GoVersion:"go1.6.2", Compiler:"gc", Platform:"linux/amd64"}
> Please enter Username: kubelet
> Please enter Password: kubelet
> error: You must be logged in to the server (the server has asked for the client to provide credentials)

I tried all these on master minion.Could anyone please resolve this conundrum?Thanks in advance.

-- aeolus
kubernetes
ssl

Similar Questions

Get kubernetes cluster ip
kubelet only choose the first api-server given, caused all services unavailable
What is the difference between the template section in replicator.yml and pod.yml in Kubernetes?
Kubernetes dashboard and SSL - x509: failed to load system roots and no roots provided

1 Answer

7/26/2016

You have to enable client certificate authorization via the --client-ca-file flag on the apiserver.

From http://kubernetes.io/docs/admin/authentication/:

Client certificate authentication is enabled by passing the --client-ca-file=SOMEFILE option to apiserver. The referenced file must contain one or more certificates authorities to use to validate client certificates presented to the apiserver. If a client certificate is presented and verified, the common name of the subject is used as the user name for the request.

From http://kubernetes.io/docs/admin/kube-apiserver/:

--client-ca-file="": If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate. --cloud-config="": The path to the cloud provider configuration file. Empty string for no configuration file.

-- svenwltr
Source: StackOverflow