Hi All,
I'm trying to create a cluster using openssl certificate for
authentication. What I'm doing wrong here? Below is the components and the
steps I've followed.
minion-node and kubectl is throwing this error - *Unable to connect to the
server: x509: certificate signed by unknown authority*
uname -a
ubuntu 16.04
Linux ip-172- 4.4.0-1038-aws #47-Ubuntu SMP Thu Sep 28 20:05:35 UTC 2017
x86_64 x86_64 x86_64 GNU/Linux
Kubernetes 1.8
Docker version 17.03.2-ce, build f5ec1e2
flanneld --version v0.9.0
etcd Version: 3.2.8
enerate a ca.key with 2048bit:
1) openssl genrsa -out ca.key 2048
According to the ca.key generate a ca.crt (use -days to set the certificate
effective time):
2) openssl req -x509 -new -nodes -key ca.key -subj "/CN=${MASTER_IP}" -days
10000 -out ca.crt
Generate a server.key with 2048bit
3) openssl genrsa -out server.key 2048
According to the server.key generate a server.csr:
4) openssl req -new -key server.key -subj "/CN=${MASTER_IP}" -out server.csr
According to the ca.key, ca.crt and server.csr generate the server.crt:
5) openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key
-CAcreateserial -out server.crt -days 10000
View the certificate.
6) openssl x509 -noout -text -in ./server.crt
==============================
Generate Certificates for Nodes
==============================
NODES=kubecfg
for NODE in $NODES; do
sudo openssl req -newkey rsa:2048 -nodes -keyout
/srv/kubernetes/${NODE}.key -subj "/CN=${NODE}" -out
/srv/kubernetes/${NODE}.csr
sudo openssl x509 -req -days 10000 -in /srv/kubernetes/${NODE}.csr -CA
/srv/kubernetes/ca.crt -CAkey /srv/kubernetes/ca.key -CAcreateserial -out
/srv/kubernetes/${NODE}.crt
done
kubectl config set-cluster mykubecluster --server=https://Master_IP:
<https://172.31.7.27:6443/> --certificate-authority=/srv/kubernetes/
kubectl config set-credentials kubelet \
--certificate-authority=/srv/kubernetes/
--client-key=/srv/kubernetes/
--client-certificate=/srv/kubernetes/
kubectl config set-context kubelet-context --cluster=mykubecluster
--user=kubelet
kubectl config use-context kubelet-context
===================
kubeconfig File
====================
apiVersion: v1
clusters:
- cluster:
certificate-authority: /srv/kubernetes/ca.crt
server: https://Master_IP:6443 <https://172.31.7.27:6443/>
name: mykubecluster
contexts:
- context:
cluster: mykubecluster
user: kubelet
name: kubelet-context
current-context: kubelet-context
kind: Config
preferences: {}
users:
- name: kubelet
user:
as-user-extra: {}
client-certificate: /srv/kubernetes/kubecfg.crt
client-key: /srv/kubernetes/kubecfg.key
When I remove the kubelet-context entry from the kubeconfig file and leave
it blank *kubectl* works fine and when I run with below entry for context
it gives me an error.
and minion-node is not able to connect to apiserver with or without the
kubelet-context.
*name: kubelet-context*
*current-context: kubelet-context*
I'm getting this error
ubuntu@ip-172-31:/srv/kubernetes
ca.crt ca.key ca.srl kubecfg.crt kubecfg.csr kubecfg.key server.crt
server.csr server.key
ubuntu@ip-172-31:~$* kubectl get cs*
Unable to connect to the server: x509: certificate signed by unknown
authority
ubuntu@ip-172-31:~$* kubectl get ep*
Unable to connect to the server: x509: certificate signed by unknown
authority
I ran all the above command on Master Node:
After this I have copied the ca.crt , kubecfg.crt, kubecfg.key file to the
node manually inside the /srv/kubernetes/ directory
and kubeconfig file inside the /var/lib/kubelet/ and /var/lib/kube-proxy/
directory
● kubelet.service - Kubernetes Kubelet Server
Loaded: loaded (/lib/systemd/system/kubelet.
Active: active (running) since Sat 2017-11-04 23:04:36 UTC; 26min ago
Docs: https://github.com/
<https://github.com/GoogleCloudPlatform/kubernetes>
Main PID: 1921 (kubelet)
Tasks: 14
Memory: 81.4M
CPU: 15.045s
CGroup: /system.slice/kubelet.service
└─1921 /usr/local/bin/kubelet --logtostderr=true --v=2
#$KUBELET_API_SERVER --port=10250 --hostname-override=172.31.4.
Nov 04 23:317 <https://172.31.7.27:6443/api/v1/namespaces/defau>:07
ip-172-31-XXXkubelet[1921]: E1104 23:31:07.768591 1921 event.go:209]
Unable to write event: 'Patch https://172.3:
<https://172.31.7.27:6443/api/v1/namespaces/defau>1
<https://172.31.7.27:6443/api/v1/namespaces/defau>6443/api/
<https://172.31.7.27:6443/api/v1/namespaces/defau>
Nov 04 23:31:08 ip-172-31-XXXkubelet[1921]: E1104 23:31:08.357411 1921
reflector.go:205] k8s.io/kubernetes/pkg/kubelet/
<http://k8s.io/kubernetes/pkg/kubelet/kubelet.go:422>: Failed to list
*v1.Node: Get
Nov 04 23:31:08 ip-172-31-XXXkubelet[1921]: E1104 23:31:08.357975 1921
reflector.go:205] k8s.io/kubernetes/pkg/kubelet/
<http://k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:47>: Failed to
list *v1.P
ubuntu@ip-172-31~$ *journalctl -fu kubelet*
-- Logs begin at Sat 2017-11-04 22:40:12 UTC. --
Nov 04 23:05:33 ip-172-31-XXXkubelet[1921]: E1104 23:05:33.390930 1921
reflector.go:205] k8s.io/kubernetes/pkg/kubelet/
<http://k8s.io/kubernetes/pkg/kubelet/kubelet.go:422>: Failed to list
*v1.Node: Get https://Master_IP:6443/api/
<https://172.31.7.27:6443/api/v1/nodes?fieldSelector=metadata.name%3D172.31.4.225&resourceVersion=0>:
x509: certificate signed by unknown authority
Nov 04 23:05:34 ip-172-31-XXXkubelet[1921]: E1104 23:05:34.392144 1921
reflector.go:205] k8s.io/kubernetes/pkg/kubelet/
<http://k8s.io/kubernetes/pkg/kubelet/kubelet.go:413>: Failed to list
*v1.Service: Get https://Master_IP:6443/api/
<https://172.31.7.27:6443/api/v1/services?resourceVersion=0>: x509:
certificate signed by unknown authority
*journalctl -fu kube-proxy*
-- Logs begin at Sat 2017-11-04 22:40:12 UTC. --
Nov 04 23:06:45 ip-172-31-XXXkube-proxy[2035]: E1104 23:06:45.793400
2035 reflector.go:205] k8s.io/kubernetes/pkg/client/
<http://k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/factory.go:73>:
Failed to list *api.Endpoints: Get https://Master_IP:443/api/
<https://172.31.7.27/api/v1/endpoints?resourceVersion=0> Master_IP:443
<http://172.31.7.27:443/>: getsockopt: connection refused
Nov 04 23:06:45 ip-172-31-XXXkube-proxy[2035]: E1104 23:06:45.794332
2035 reflector.go:205] k8s.io/kubernetes/pkg/client/
<http://k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/factory.go:73>:
Failed to list *api.Service: Get https://Master_IP:443/api/
<https://172.31.7.27/api/v1/services?resourceVersion=0>: dial tcp
Master_IP:443 <http://172.31.7.27:443/>: getsockopt: connection refused
Nov 04 23:06:46 ip-172-31-XXXkube-proxy[2035]: E1104 23:06:46.794316
2035 reflector.go:205] k8s.io/kubernetes/pkg/client/
<http://k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/factory.go:73>:
Failed to list *api.Endpoints: Get https://Master_IP:443/api/
<https://172.31.7.27/api/v1/endpoints?resourceVersion=0> Master_IP:443
<http://172.31.7.27:443/>: getsockopt: connection refuse
Will appreciate any help and suggestion on this.
Thanks
sam
--
You received this message because you are subscribed to the Google Groups
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.
