K
Q

No IPs in the GKE ca.cert which results in SSL errors while connection to the API server

2/1/2017

I looked into the service account ca.crt files that get deployed into the container and they don't contain any SAN with the IP or dns name of the master nodes. This results in SSL errors like: https://0.0.0.0:10250/metrics: x509: cannot validate certificate for 0.0.0.0 because it doesn't contain any IP SANs.

Did anybody else run into this problem? How did you solve it other then allowing insecure ssl?

-- Lukas Eichler
google-kubernetes-engine
kubernetes
ssl

Similar Questions

Mounted ConfigMap not setting environment variables
What do hostPID and hostIPC options mean in a kubernetes pod?
Docker Container Usage
Expose MongoDB on Kubernetes with StatefulSets outside cluster

1 Answer

2/2/2017

The ca cert provided by a service account (/run/secrets/kubernetes.io/serviceaccount/ca.crt) is for communicating with the apiserver (served by the master on GKE).

# curl --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt https://kubernetes -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)"
{
  "paths": [
    "/api",
    ...
  ]

It looks like you are trying to talk to the kubelet API (port 10250). The kubelet API serves a self-signed cert, so insecure is the only way.

-- CJ Cullen
Source: StackOverflow