Kubectl: Accessing the AKS (Kubernetes) public API endpoint through a corporate SSL-aware proxy

5/6/2019

Has anyone succeeded in getting kubectl connecting to the AKS public API endpoint for their AKS cluster, from behind a corporate proxy that does SSL inspection ?

When I try to do something like

kubectl get nodes

I get the following error: (edited)

Unable to connect to the server: x509: certificate signed by unknown authority

So it appears my corporate proxy does SSL inspection.

My question would be: Is it at all possible to access the AKS public API via HTTPS through an SSL-interfering proxy, either via another "helper proxy" or other method?

-- Traiano Welcome
azure-kubernetes
kubectl
kubernetes
networking
proxy

1 Answer

5/6/2019

If your corporate proxy performs TLS re-encryption and injects its own certificate into TLS connection there are a couple of things you can do:

1) Extract your corporate TLS certificate and paste that in your ~/.kube/config. For that you'll need to get corporate certificate using for example this command

openssl s_client -showcerts -connect KUBE_API:443

2) Skip TLS certificate verification in ~/.kube/config

apiVersion: v1
clusters:
- cluster:
    server: https://KUBE_API:8443
    insecure-skip-tls-verify: true
-- Vasily Angapov
Source: StackOverflow