K
Q

x509 Certificate signed by unknown authority - kubeadm

11/8/2018

I search the previews post for this but I can't find the solution, sorry.

I install metrics server on kubeadm v1.12 and I get this error from the logs:

1 master node and 1 slave node, in private network.

Get https://ip-10-0-1-154:10250/stats/summary/: x509: a certificate signed by an unknown authority, unable to fully scrape metrics from source

I don't install any certificate.

How can I install a new certificate and where I need to change this without set up a new kubernetes cluster?

Sorry for the noob question, I tried to create a new certificate but I cannot make kubelet to change.

-- pioupiou
kubelet
kubernetes
x509

Similar Questions

Authentication between microservices in Kubernetes
Single command to display logs from running kubernetes pod
Istio session affinity with weighted load balancer
How do we mount multiple disks into a single storagepool in OpenEBS?
Kubernetes Pod memory keeps on increasing and shoots way beyond Java application consumption

1 Answer

11/9/2018

It's a problem with kubeadm in where it generates the kubelet certificates on the nodes under /var/lib/kubelet/pki (kubelet.crt,kubelet.key) signed by a different CA from the one used for the master(s) under /etc/kubernetes/pki (ca.crt). Some background here . You'll have to regenerate the certificates for your kubelets signed by the CA on the master(s) /etc/kubernetes/pki/ca.crt

You can follow something like this. For example use cfssl

Something like this:

$ mkdir ~/mycerts; cd ~/mycerts
$ cp /etc/kubernetes/pki/ca.crt ca.pem
$ cp /etc/kubernetes/pki/ca.key ca-key.pem

Create a file kubelet-csr.json with something like this:

{
  "CN": "kubernetes",
  "hosts": [
    "127.0.0.1",
    "<your-node-name>",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [{
    "C": "US",
    "ST": "NY",
    "L": "City",
    "O": "Org",
    "OU": "Unit"
  }]
}

Create a ca-config.json file:

{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ],
        "expiry": "8760h"
      }
    }
  }
}

Create a config.json file:

{
    "signing": {
        "default": {
            "expiry": "168h"
        },
        "profiles": {
            "www": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

Generate the certs:

$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
  --config=ca-config.json -profile=kubernetes \
  kubelet-csr.json | cfssljson -bare kubelet

Copy the files to your nodes:

$ scp kubelet.pem <node-ip>:/var/lib/kubelet/pki/kubelet.crt
$ scp kubelet-key.pem <node-ip>:/var/lib/kubelet/pki/kubelet.key

Restart the kubelet on your node:

$ systemctl restart kubelet

PD. Opened this to track the issue.

-- Rico
Source: StackOverflow