K
Q

Kubernetes kube-dns TLS certificate validation

3/23/2017

I'm using kubernetes v1.5.2, and have implemented api over tls. Problem is that while deploying kube-dns I'm getting message on minion as:

Mar 23 10:06:27 node01 journal: I0323 09:06:27.007407       1 dns.go:172]   Ignoring error while waiting for service default/kubernetes: Get  https://10.254.0.1:443/api/v1/namespaces/default/services/kubernetes: x509: cannot validate certificate for 10.254.0.1 because it doesn't contain any IP SANs. Sleeping 1s before retrying.

I've tried by using curl, from another pod and it fails without --insecure switch, whit it it is ok.

I understand that 10.254.0.1:443 actually serves certificate from master node (api on port 6443)(192.168.0.200), but how to resolve it, that 10.254.0.1 serves its valid certificate.

Here is description from clusterip api: [root@master01 dns]# kubectl describe service kubernetes Name: kubernetes Namespace: default Labels: component=apiserver provider=kubernetes Selector: Type: ClusterIP IP: 10.254.0.1 Port: https 443/TCP Endpoints: 192.168.2.200:6443 Session Affinity: ClientIP

Thanks Dubravko

-- dubravko sever
dns
kubernetes

Similar Questions

Kubernetes: Exclude Node from default scheduling
Basic auth for Curl command into the secret of openshift
Bluemix - Failed to get plug-in : Looking up 'container-service' from repository 'Bluemix'
Kubernetes Ingress (GCE) keeps returning 502 error

1 Answer

3/23/2017

If you're using the service IP your API server certificate must have IP:10.254.0.1 as a SAN.

Likewise if you reach the API using the service name kubernetes.default the certificate must have this name as a SAN.

A good practice is to request a certificate with at least the following SAN:

  • IP:(first IP of service CIDR)
  • DNS:kubernetes
  • DNS:kubernetes.default
  • DNS:kubernetes.default.svc
  • DNS:kubernetes.default.svc.cluster.local

Check this util script for reference: util.sh

-- Antoine Cotten
Source: StackOverflow