K
Q

Kubernetes pods cannot access HTTPS sites

7/7/2020

Just installed Kubernetes cluster using kubespray. 3 master nodes and 3 worker nodes + 2 haproxy nodes in front of master nodes with keepalived.

Everything works perfectly except for one thing. When I try to update packages on alpine or ubuntu inside pods:

Ign:1 https://security.debian.org/debian-security buster/updates InRelease          
Ign:2 https://deb.debian.org/debian buster InRelease                                
Err:4 https://security.debian.org/debian-security buster/updates Release                            
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.

Quick debugging revealed that I'm getting self-signed Traefik Default certificate from proxy in K8s

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

Output:

       Issuer: CN = TRAEFIK DEFAULT CERT
        Validity
            Not Before: Jun 15 14:08:39 2020 GMT
            Not After : Jun 15 14:08:39 2021 GMT
        Subject: CN = TRAEFIK DEFAULT CERT

Is there a way to disable SSL termination?

My installation is a completely fresh install of kubespray from master branch

Kubernetes version: v1.18.5

-- Blz
calico
containers
kubernetes
kubespray
ssl

Similar Questions

kubectl top node `error: metrics not available yet` . Using metrics-server as Heapster Depricated
Why do I need to put ETCDCTL_API=3 in front of etcdctl for etcdctl snapshot save to work?
Serving assets using nginx, kubernetes and docker
How do I use PV and PVC for *reliable* persistent volumes?
Kubernetes drops HTTP connection initialized by node.js / postgres

1 Answer

7/7/2020

Found an issue in /etc/resolv.conf. search list had a domain that was pointing to a server with traefik on it. That domain's DNS zone had *.domain.com record in it. So that was the problem.

-- Blz
Source: StackOverflow