2

I want to ask how to access Kubelet API from microk8s cluster.

I looked to this url and it says that Kubelet API requires client certificate. So I called this (from /var/snap/microk8s/current/certs) curl -v https://127.0.0.1:10250 --cert ca.crt --cert-type PEM --cacert ca.crt --key ca.key

But I got error saying: curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

How do I fix this issue? Also, what is the difference between kubelet.crt, server.crt, and ca.crt in microk8s?

Thank you!

enter image description here

jsishere
  • 78
  • 1
  • 8

1 Answers1

1

Try this:

curl --verbose \
  --cert ./server.crt \
  --key ./server.key  \
  --insecure \
  https://127.0.0.1:10250/healthz

The CA cert in the certs directory is not the signer of the cert :10250 presents to the user. I don't know where the CA cert being presented comes from, it looks like it's rotated as the issuer is CN=<servername>-ca@1567568834 ( hence the --insecure).

The kube-apiserver command line will include the exact path to the kubelet client certs (or could also be stored in a config file in the new k8s world)

--kubelet-client-certificate --kubelet-client-key

$ pgrep -a kube-apiserver | perl -pe 's/ --/\n --/g'
22071 /snap/microk8s/1247/kube-apiserver
 --cert-dir=/var/snap/microk8s/1247/certs
 --service-cluster-ip-range=10.22.189.0/24
 --authorization-mode=RBAC,Node
 --basic-auth-file=/var/snap/microk8s/1247/credentials/basic_auth.csv
 --service-account-key-file=/var/snap/microk8s/1247/certs/serviceaccount.key
 --client-ca-file=/var/snap/microk8s/1247/certs/ca.crt
 --tls-cert-file=/var/snap/microk8s/1247/certs/server.crt
 --tls-private-key-file=/var/snap/microk8s/1247/certs/server.key
 --kubelet-client-certificate=/var/snap/microk8s/1247/certs/server.crt
 --kubelet-client-key=/var/snap/microk8s/1247/certs/server.key
 --secure-port=16443
 --token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
 --token-auth-file=/var/snap/microk8s/1247/credentials/known_tokens.csv
 --etcd-servers=https://127.0.0.1:12379
 --etcd-cafile=/var/snap/microk8s/1247/certs/ca.crt
 --etcd-certfile=/var/snap/microk8s/1247/certs/server.crt
 --etcd-keyfile=/var/snap/microk8s/1247/certs/server.key
 --requestheader-client-ca-file=/var/snap/microk8s/1247/certs/front-proxy-ca.crt
 --requestheader-allowed-names=front-proxy-client
 --requestheader-extra-headers-prefix=X-Remote-Extra-
 --requestheader-group-headers=X-Remote-Group
 --requestheader-username-headers=X-Remote-User
 --proxy-client-cert-file=/var/snap/microk8s/1247/certs/front-proxy-client.crt
 --proxy-client-key-file=/var/snap/microk8s/1247/certs/front-proxy-client.key
Matt
  • 68,711
  • 7
  • 155
  • 158
  • Ah I see.. I can curl the data. Thank you so much! Though I still don't understand the differences between ca.crt, server.crt, and kubelet.crt. I can use ca.crt to access port 16443 but not with 10250 for self signed certificate. From https://microk8s.io/docs/ports, it says that `Kubelet and the API server are aware of the same CA and so the signed server certificate is used by the API server to authenticate with kubelet (--kubelet-client-certificate)` so I though I can use same certificate to signed the request. Sorry for the question, I am still new in Kubernetes! – jsishere Mar 09 '20 at 05:24
  • Yeah it's a bit weird, kubelet is configured with the `ca.crt` but the certificate it presents is the self signed `kubelet.crt`. Probably just a minor nit for the microk8s project but it work's so no one notices. – Matt Mar 09 '20 at 09:09
  • `echo | openssl s_client -connect 127.0.0.1:10250 -showcerts | openssl x509 -noout -text` – Matt Mar 09 '20 at 09:09
  • `openssl x509 -in kubelet.crt -noout -text` – Matt Mar 09 '20 at 09:09
  • Generally you would use the CA certificate to sign the other certificates, maybe it was just easier to self sign, or historically left behind – Matt Mar 09 '20 at 09:11