In Kubernetes 1.6,when using the ssl authentication, the Kubelet service cannot start , why?

Question

When I execute "systemctl start kubelet " the command, the result show "error: failed to run kubelet: cannot create certificate signing request: the server has asked for the client to provide credentials (post certificatesigningrequests.certificates.k8s.io)"

The configuration file is as follows：

--experimental-bootstrap-kubeconfig=/etc/kubernetes/bootstrap.kubeconfig --kubeconfig=/etc/kubernetes/kubelet.kubeconfig --require-kubeconfig --cert-dir=/etc/kubernetes/ssl --cluster-domain=cluster.local. --hairpin-mode promiscuous-bridge --serialize-image-pulls=false"

If I comment on the line above,then everything is OK,but I want to use the SSL authentication,so what should I do?

Answer 1

It could be that some extra parameters are missing. This is an example of a startup command using certificate sign requests (https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/master/docs/06-kubernetes-worker.md):

ExecStart=/usr/bin/kubelet \\
  --api-servers=${API_SERVERS} \\
  --allow-privileged=true \\
  --cluster-dns=10.32.0.10 \\
  --cluster-domain=cluster.local \\
  --container-runtime=docker \\
  --experimental-bootstrap-kubeconfig=/var/lib/kubelet/bootstrap.kubeconfig \\
  --network-plugin=kubenet \\
  --kubeconfig=/var/lib/kubelet/kubeconfig \\
  --serialize-image-pulls=false \\
  --register-node=true \\
  --tls-cert-file=/var/lib/kubelet/kubelet-client.crt \\
  --tls-private-key-file=/var/lib/kubelet/kubelet-client.key \\
  --cert-dir=/var/lib/kubelet \\
  --v=2

Could you try adding flags like register-node or the tls-cert-file and tls-cert-key-file (My take is that it would be generated)

However, when I tried to make the certificate sign request fully work, I saw that there were still some issue so I would advise you to create the certificates manually using the cluster CA.