x509 Certificate signed by unknown authority - kubeadm

Question

I search the previews post for this but I can't find the solution, sorry.

I install metrics server on kubeadm v1.12 and I get this error from the logs:

1 master node and 1 slave node, in private network.

Get https://ip-10-0-1-154:10250/stats/summary/: x509: a certificate signed by an unknown authority, unable to fully scrape metrics from source 

I don't install any certificate.

How can I install a new certificate and where I need to change this without set up a new kubernetes cluster?

Sorry for the noob question, I tried to create a new certificate but I cannot make kubelet to change.

Answer 1

It's a problem with kubeadm in where it generates the kubelet certificates on the nodes under /var/lib/kubelet/pki (kubelet.crt,kubelet.key) signed by a different CA from the one used for the master(s) under /etc/kubernetes/pki (ca.crt). Some background here . You'll have to regenerate the certificates for your kubelets signed by the CA on the master(s) /etc/kubernetes/pki/ca.crt

You can follow something like this. For example use cfssl

Something like this:

$ mkdir ~/mycerts; cd ~/mycerts
$ cp /etc/kubernetes/pki/ca.crt ca.pem
$ cp /etc/kubernetes/pki/ca.key ca-key.pem

Create a file kubelet-csr.json with something like this:

{
  "CN": "kubernetes",
  "hosts": [
    "127.0.0.1",
    "<your-node-name>",
    "kubernetes",
    "kubernetes.default",
    "kubernetes.default.svc",
    "kubernetes.default.svc.cluster",
    "kubernetes.default.svc.cluster.local"
  ],
  "key": {
    "algo": "rsa",
    "size": 2048
  },
  "names": [{
    "C": "US",
    "ST": "NY",
    "L": "City",
    "O": "Org",
    "OU": "Unit"
  }]
}

Create a ca-config.json file:

{
  "signing": {
    "default": {
      "expiry": "8760h"
    },
    "profiles": {
      "kubernetes": {
        "usages": [
          "signing",
          "key encipherment",
          "server auth",
          "client auth"
        ],
        "expiry": "8760h"
      }
    }
  }
}

Create a config.json file:

{
    "signing": {
        "default": {
            "expiry": "168h"
        },
        "profiles": {
            "www": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "server auth"
                ]
            },
            "client": {
                "expiry": "8760h",
                "usages": [
                    "signing",
                    "key encipherment",
                    "client auth"
                ]
            }
        }
    }
}

Generate the certs:

$ cfssl gencert -ca=ca.pem -ca-key=ca-key.pem \
  --config=ca-config.json -profile=kubernetes \
  kubelet-csr.json | cfssljson -bare kubelet

Copy the files to your nodes:

$ scp kubelet.pem <node-ip>:/var/lib/kubelet/pki/kubelet.crt
$ scp kubelet-key.pem <node-ip>:/var/lib/kubelet/pki/kubelet.key

Restart the kubelet on your node:

$ systemctl restart kubelet

PD. Opened this to track the issue.