I have figured it out, for kube-apiserver's flags " --kubelet-client-certificate" and "--kubelet-client-key", I should generate a pair of client cert/key rather than server's.
Regards, Qian Zhang On Thu, May 4, 2017 at 10:41 AM, Qian Zhang <zhq527...@gmail.com> wrote: > Thanks Brandon! > > 10255 is the "read-only" port, to disable it remove --read-only-port from >> kubelet config. > > > Based on https://kubernetes.io/docs/admin/kubelet/, I think, to disable > it, I should set "--read-only-port" to 0. > > Now I have added these flags "--read-only-port=0 > --client-ca-file=/var/lib/kubelet/ca.crt --authentication-token-webhook > --anonymous-auth=false" to start kubelet, the command "curl --insecure > https://<node-IP>:10250/spec/" does not work anymore (it shows an error > "Unauthorized") which is what I expect, and I also restarted Heapster with > this flag "--source=kubernetes.summary_api:https://kubernetes.default? > kubeletHttps=true&kubeletPort=10250&insecure=true" so that it can connect > to kubelet's 10250 port. > > The only issue is that kube-apiserver can not connect to kubelet anymore: > $ kubectl logs <pod-name> <container-name> --namespace=kube-system > > error: You must be logged in to the server (the server has asked for the > client to provide credentials) > > I have specified "--kubelet-client-certificate= > /etc/cfc/conf/server.cert --kubelet-client-key=/etc/cfc/conf/server.key" > to start kube-apiserver, maybe the files I specified here are not correct? > > > > Regards, > Qian Zhang > > On Thu, May 4, 2017 at 5:39 AM, Brandon Philips < > brandon.phil...@coreos.com> wrote: > >> Oh, there are docs here too: https://kubernetes.io/doc >> s/admin/kubelet-authentication-authorization/ >> >> On Wed, May 3, 2017 at 1:35 PM Brandon Philips < >> brandon.phil...@coreos.com> wrote: >> >>> Hello Qian- >>> >>> 10255 is the "read-only" port, to disable it remove --read-only-port >>> from kubelet config. >>> >>> To configure authentication on the kubelet port use --client-ca-file. >>> The API server has flags to authenticate using these CAs: >>> https://github.com/coreos/tectonic-installer/blob/ >>> master/modules/bootkube/resources/manifests/kube-apiserver.yaml#L45-L46 >>> >>> Hope that helps. >>> >>> Brandon >>> >>> On Wed, May 3, 2017 at 7:38 AM Qian Zhang <zhq527...@gmail.com> wrote: >>> >>>> Hi, >>>> >>>> I have a Kubernetes cluster, and currently the kubelet listens on two >>>> ports: 10250 and 10255, if I understand correctly, 10250 serves https and >>>> 10255 serves http. Now I can always run the following command to access >>>> kubelet: >>>> curl http://<node-IP>:10255/spec/ >>>> And and this command even for the https port: >>>> curl --insecure https://<node-IP>:10250/spec/ >>>> >>>> This is not secure to me, I do not want to expose http port, so I think >>>> I should start kubelet with the flag "--read-only-port=0" to disable 10255, >>>> and for the https port (10250), I do not want anonymous user to access it, >>>> and in the meantime I still want kube-apiserver can access kubelet (e.g., >>>> when I run "kubectl logs ...", kube-apiserver can still talk to kubelet to >>>> get logs), and I also want Heapster (running as a deployment in my >>>> Kubernetes cluster) can still access kubelet to get metrics. Can anyone >>>> please let me know what else flags I should specify to start kubelet? >>>> >>>> >>>> Thanks, >>>> Qian >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Kubernetes user discussion and Q&A" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to kubernetes-users+unsubscr...@googlegroups.com. >>>> To post to this group, send email to kubernetes-users@googlegroups.com. >>>> Visit this group at https://groups.google.com/group/kubernetes-users. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Kubernetes user discussion and Q&A" group. >> To unsubscribe from this topic, visit https://groups.google.com/d/to >> pic/kubernetes-users/1cS3Wm9sETw/unsubscribe. >> To unsubscribe from this group and all its topics, send an email to >> kubernetes-users+unsubscr...@googlegroups.com. >> To post to this group, send email to kubernetes-users@googlegroups.com. >> Visit this group at https://groups.google.com/group/kubernetes-users. >> For more options, visit https://groups.google.com/d/optout. >> > > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
