I see the below two lines in apiserver parameters,
--kubelet-client-certificate=/srv/kubernetes/kubelet-api.pem
--kubelet-client-key=/srv/kubernetes/kubelet-api-key.pem I tried to hit kubelet stats api with curl using the api but get error,
curl --cert kubelet-api.pem --key kubelet-api-key.pem https://ip-x-x-x-x.ec2.internal:10250/stats/summary
curl: (60) SSL certificate problem: self signed certificate in certificate chainI also tried adding, --cacert with the file present in /srv/kubernetes/ca.crt, but that didn't help.
I also tried to extract the certificates from kops s3 state store, but I found keyset.yaml with privateMaterial and publicMaterial. How can we convert that into certificates?
I don't think the kubelet-api.pem have permissions to get information from /stats/summary.
You need certificate for user with permissions for this and make sure the kubelet configuration file is set correctly.
The default location is this: /var/lib/kubelet/config.yaml. Notice that you will need to do it on each node you want access to the kubelet.
In some installations this is the default but if not, make sure.
You want it to disabled anonymous requests and allow x509 certificates:
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
cacheTTL: 0s
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crtCreate a user with certificate that is signed by your ca.crt.
Example for such certificate is the default kubernetes admin you have in the kubeconfig file, you can copy and decoded them (base64 -d) from the fields client-certificate-data for --cert and client-key-data for --key to files and use them like that:
curl -k https://<node_ip>:10250/stats/summary --cacert /etc/kubernetes/pki/ca.crt --key admin.key --cert admin.crt You can also use a new open source client for kubelet called kubeletctl with the kubeconfig file like that:
kubeletctl -s <node_ip> stats summary -k <your_kubeconfig_file>