It's interesting that the logs are stating that it is a keyusage error. Can you get the keyusage for your generated cert and the ca.crt you used to generate it? The command to do so is:
openssl x509 -in <certificate to check> -purpose -noout -text Nathan On Wednesday, September 27, 2017 at 6:39:54 AM UTC-6, Henning Sprang wrote: > > Hi, > > After setting up a small cluster I want to enable other users (and a > jenkins server runing outside the cluster) to access the Cluster and manage > deployments, preferredly with an own namespace for each application > consisting of multiple services. > > So taking the information from > https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/#use-case-1-create-user-with-limited-namespace-access > > and https://kubernetes.io/docs/tasks/tls/managing-tls-in-a-cluster/ I > figured out I have to create a user with this script: > > https://gist.github.com/henning/2dda0b704426c66e78e355703a8dc177 > > The problem is, when I try to run a command with this user/certificate, I > keep getting errors - on the command line: > > "error: You must be logged in to the server (the server has asked for the > client to provide credentials)" > > and even if this sounds like the client didn't even send a certificate, in > the log of the api server it says: > > "E0926 22:00:34.165133 5 authentication.go:58] Unable to > authenticate the request due to an error: x509: certificate specifies an > incompatible key usage" > > so actually it seems like the client sends a certificate, but it's somehow > not correct/sufficient. > > I searched the web to find out what to do about it and tried multiple > things(for example adding an Usage extension to the CSR, switched between > creating the key and certificate request with the openssl client as well as > cfssl, and with different versions of openssl on MacOS and Linux) - all > with the same result. > > So, my questions: > > * any further thing I can check for to solve this? > * is the way I try to do it generally right, or would it be better/easier > to create a password file like described here? > https://kubernetes.io/docs/admin/authentication/#static-password-file > > Thanks in advance, and please let me know if there is any more information > needed that I might have forgotten. > > Henning > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
