K
Q

K8S (1.9) how to access API server with client certifiicate

12/22/2017

Qustion

How can I access the API server API with the client certificate? Tried below but no success.

export K8S_PKI_HOME=/etc/kubernetes/pki
curl -k --key ${K8S_PKI_HOME}/ca.key --cert ${K8S_PKI_HOME}/ca.crt \
https://localhost:6443/api/v1/componentstatuses

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "componentstatuses is forbidden: User \"kubernetes\" cannot list componentstatuses at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "componentstatuses"
  },
  "code": 403
}

According to X509 Client Certs (Authentication Strategy:

Client certificate authentication is enabled by passing the --client-ca-file=SOMEFILE option to API server.

In the /etc/kubernetes/manifests/kube-apiserver.yaml, --client-ca-file=/etc/kubernetes/pki/ca.crt is specified.

spec:
  containers:
  - command:
    - kube-apiserver
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
-- mon
api
kubernetes
ssl-client-authentication

Similar Questions

Is there a way to make a kubernetes service name set as Prometheus Job name automatically?
Kubernetes Volumes - Dynamic path
How long are kubernetes logs stored?
Connect to mongo service via domain name

2 Answers

12/25/2017

Found the client certificate and key were wrong.

# sudo curl -iv -L \
>      --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
>      --key  /etc/kubernetes/pki/apiserver-kubelet-client.key \
>      --cacert /etc/kubernetes/pki/ca.crt \
> https://172.31.4.117:6443/healthz
* About to connect() to 172.31.4.117 port 6443 (#0)
*   Trying 172.31.4.117...
* Connected to 172.31.4.117 (172.31.4.117) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/kubernetes/pki/ca.crt
  CApath: none
* NSS: client certificate from file
*   subject: CN=kube-apiserver-kubelet-client,O=system:masters
*   start date: Dec 23 05:13:30 2017 GMT
*   expire date: Dec 23 05:13:30 2018 GMT
*   common name: kube-apiserver-kubelet-client
*   issuer: CN=kubernetes
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN=kube-apiserver
*   start date: Dec 23 05:13:30 2017 GMT
*   expire date: Dec 23 05:13:30 2018 GMT
*   common name: kube-apiserver
*   issuer: CN=kubernetes
> GET /healthz HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.31.4.117:6443
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 25 Dec 2017 02:10:15 GMT
Date: Mon, 25 Dec 2017 02:10:15 GMT
< Content-Length: 2
Content-Length: 2
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8

< 
* Connection #0 to host 172.31.4.117 left intact
ok
-- mon
Source: StackOverflow
12/22/2017

It appears the client certificate you presented was recognized, and authenticated you as the user "kubernetes".

The error you are receiving is an authorization error, not authentication.

The next step is to ensure that the user is authorized to perform the API calls they are making. How you do that varies depending on which authorization mode your server is using. See https://kubernetes.io/docs/admin/authorization/ for details

-- Jordan Liggitt
Source: StackOverflow