K8S (1.9) how to access API server with client certifiicate

Question

Qustion

How can I access the API server API with the client certificate? Tried below but no success.

export K8S_PKI_HOME=/etc/kubernetes/pki
curl -k --key ${K8S_PKI_HOME}/ca.key --cert ${K8S_PKI_HOME}/ca.crt \
https://localhost:6443/api/v1/componentstatuses

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "componentstatuses is forbidden: User \"kubernetes\" cannot list componentstatuses at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "componentstatuses"
  },
  "code": 403
}

According to X509 Client Certs (Authentication Strategy:

Client certificate authentication is enabled by passing the --client-ca-file=SOMEFILE option to API server.

In the /etc/kubernetes/manifests/kube-apiserver.yaml, --client-ca-file=/etc/kubernetes/pki/ca.crt is specified.

spec:
  containers:
  - command:
    - kube-apiserver
    - --client-ca-file=/etc/kubernetes/pki/ca.crt

with a URL like `https://localhost:6443/api/v1/componentstatuses`, it is entirely possible that you also have access to the _unauthenticated_ port on the master, typically `http://localhost:8080/api/v1/componentstatuses` which could bypass both authn and authz — mdaniel, Dec 22 '17 at 05:26

score 2 · Answer 1 · answered Dec 22 '17 at 04:29

2

It appears the client certificate you presented was recognized, and authenticated you as the user "kubernetes".

The error you are receiving is an authorization error, not authentication.

The next step is to ensure that the user is authorized to perform the API calls they are making. How you do that varies depending on which authorization mode your server is using. See https://kubernetes.io/docs/admin/authorization/ for details

answered Dec 22 '17 at 04:29

Jordan Liggitt

16,933
2
56
44

Thanks for the answer, but it was not authorization issue. – mon Dec 25 '17 at 03:27

score 1 · Accepted Answer · answered Dec 25 '17 at 02:11

Found the client certificate and key were wrong.

# sudo curl -iv -L \
>      --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
>      --key  /etc/kubernetes/pki/apiserver-kubelet-client.key \
>      --cacert /etc/kubernetes/pki/ca.crt \
> https://172.31.4.117:6443/healthz
* About to connect() to 172.31.4.117 port 6443 (#0)
*   Trying 172.31.4.117...
* Connected to 172.31.4.117 (172.31.4.117) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/kubernetes/pki/ca.crt
  CApath: none
* NSS: client certificate from file
*   subject: CN=kube-apiserver-kubelet-client,O=system:masters
*   start date: Dec 23 05:13:30 2017 GMT
*   expire date: Dec 23 05:13:30 2018 GMT
*   common name: kube-apiserver-kubelet-client
*   issuer: CN=kubernetes
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN=kube-apiserver
*   start date: Dec 23 05:13:30 2017 GMT
*   expire date: Dec 23 05:13:30 2018 GMT
*   common name: kube-apiserver
*   issuer: CN=kubernetes
> GET /healthz HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.31.4.117:6443
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 25 Dec 2017 02:10:15 GMT
Date: Mon, 25 Dec 2017 02:10:15 GMT
< Content-Length: 2
Content-Length: 2
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8

< 
* Connection #0 to host 172.31.4.117 left intact
ok

K8S (1.9) how to access API server with client certifiicate

Qustion

2 Answers2