Where Are TLS Handshake Errors In APISERVER Logs Coming From?
I have a cluster provisioned using KubeSpray on AWS. It has two bastions, one controller, one worker, and one etcd server.
I am seeing endless messages in the APISERVER logs:
http: TLS handshake error from 10.250.227.53:47302: EOFThey come from two IP addresses, 10.250.227.53 and 10.250.250.158. The port numbers change every time.
None of the cluster nodes correspond to those two IP addresses. The subnet cidr ranges are shown below.
The cluster seems stable. This behavior does not seem to have any negative affect. But I don't like having random HTTPS requests.
How can I debug this issue?
Similar Questions
1 Answer
They're from the health check configured on the AWS ELB; you can stop those messages by changing the health check configuration to be HTTPS:6443/healthz instead of the likely TCP one it is using now
How can I debug this issue?
Aside from just generally being cognizant of how your cluster was installed, and then observing that those connections come at regular intervals, I would further bet that those two IP addresses belong to the two ENIs that are allocated to the ELB in each public subnet (they'll show up in the Network Interfaces list on the console as "owner: elasticloadbalancer" or something similar)