Where Are TLS Handshake Errors In APISERVER Logs Coming From?


I have a cluster provisioned using KubeSpray on AWS. It has two bastions, one controller, one worker, and one etcd server.

I am seeing endless messages in the APISERVER logs:

http: TLS handshake error from EOF

They come from two IP addresses, and The port numbers change every time.

None of the cluster nodes correspond to those two IP addresses. The subnet cidr ranges are shown below.

Two private and two public cluster subnets

The cluster seems stable. This behavior does not seem to have any negative affect. But I don't like having random HTTPS requests.

How can I debug this issue?

-- David Medinets

1 Answer


They're from the health check configured on the AWS ELB; you can stop those messages by changing the health check configuration to be HTTPS:6443/healthz instead of the likely TCP one it is using now

How can I debug this issue?

Aside from just generally being cognizant of how your cluster was installed, and then observing that those connections come at regular intervals, I would further bet that those two IP addresses belong to the two ENIs that are allocated to the ELB in each public subnet (they'll show up in the Network Interfaces list on the console as "owner: elasticloadbalancer" or something similar)

-- mdaniel
Source: StackOverflow