Setup local kubectl with rancher

10/1/2019

I have copied rancher config file to local kube config, and once I tried to connect, get an error

Unable to connect to the server: x509: certificate signed by unknown authority

I'm not admin of this cluster, and can't really change settings. So I googled that I can add

insecure-skip-tls-verify: true

And removed certificates, leaving only username and token, and it starts to work.

Can you explain me, is it safe to use it like so, and why do we need certs at all if it could work without it as well?

-- ogbofjnr
devops
kubernetes
rancher

1 Answer

10/1/2019

You may treat it as additional layer of security. If you allow someone ( in this case to yourself ) to connect to cluster and manage it without a need to have a proper certificate, just keep in mind you allow it for everyone else.

insecure-skip-tls-verify: true

is pretty self-explanatory - yes, it's insecure as it skips tls verification and it is not recommended on production. As you can read in documentation:

--insecure-skip-tls-verify If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure

Username and token provide some level of security as they are still required to be able to connect but it has nothing to do with establishing secure trusted connection. By default it can only be done by clients who have also proper certificate. If you don't want to skip tls verification, you may want to try this solution. Only for kubernetes >= 1.15 use command kubeadm alpha certs renew all.

More about managing TLS Certificates in a Kubernetes Cluster you can read here.

-- mario
Source: StackOverflow