Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Correct configuration for "the hard way" / manual configuration? Error: failed to verify certificate [...] doesn't contain any IP SANs #1588

Open
erikschul opened this issue Nov 2, 2024 · 1 comment
Open

Correct configuration for "the hard way" / manual configuration? Error: failed to verify certificate [...] doesn't contain any IP SANs #1588

erikschul opened this issue Nov 2, 2024 · 1 comment
Labels
needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@erikschul
Copy link

Given that numerous people seem to fail to configure metrics-server without disabling TLS verification, I was hoping that you would help documenting how to configure it correctly when configuring Kubernetes manually (without kubeadm).

Error:

"Failed to scrape node" err="Get "https://[1.2.3.4]:10250/metrics/resource": tls: failed to verify certificate: x509: cannot validate certificate for [1.2.3.4] because it doesn't contain any IP SANs

I've tried creating a cluster-ca signed ca.crt/tls.key/tls.crt for metrics-server:

--kubelet-client-certificate=/certs/tls.crt
--kubelet-client-key=/certs/tls.key
--kubelet-certificate-authority=/certs/ca.crt

Node certificate:


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ...
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = X, ST = X, L = X, O = " CA", OU = X, CN = CA
        Validity
            Not Before: Oct 10 17:04:00 2024 GMT
            Not After : Oct  8 17:04:00 2034 GMT
        Subject: C = X, ST = X, L = X, O = system:nodes, OU = X, CN = system:node:node0
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    ...
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                ...
            X509v3 Authority Key Identifier: 
                ...
            X509v3 Subject Alternative Name: 
                DNS:node0, IP Address:[1.2.3.4]
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
      ...

KubeletConfiguration:

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 0s
    enabled: true
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.pem
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 0s
    cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
  - 10.96.0.10
clusterDomain: "{{cluster_domain}}"
containerRuntimeEndpoint: "unix:///var/run/containerd/containerd.sock"
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
logging:
  flushFrequency: 0
  options:
    json:
      infoBufferSize: "0"
  verbosity: 1
  format: json
memorySwap: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s
serializeImagePulls: false
maxParallelImagePulls: 3

/etc/kubernetes/kubelet.conf

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ...
    server: https://127.0.0.1:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: system:node:node0
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: system:node:node0
  user:
    client-certificate-data: ...
    client-key-data: ...
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Nov 2, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If metrics-server contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@k8s-ci-robot @erikschul