0

I want to start develop for Kuberntes project. I wanted to debug the netwrok between the master and the worker.
Currently they are using x509 certificates for SSL communication and I need to see this communication.

I installed Kubernetes cluster on a linux machine with kubeadm and weave network plug in and I now want to disable the SSL network to be able to see all the traffic between them.

I tried the steps describe in this answer and:

  • Removed --insecure-port=0 from /etc/kubernetes/manifests/kube-apiserver.yaml
  • Added --insecure-bind-address=0.0.0.0 to /etc/kubernetes/manifests/kube-controller-manager.yaml and /etc/kubernetes/manifests/kube-scheduler.yaml
  • Restart kubelet service kubelet restart

I created new deployment: kubectl run nginx --image nginx on the master and in the worker I run tcpdump -i ens3 -w ./traffic.pcap.

The deployment failed to run.
I checked the kubelet logs: journalctl -u kubelet: 

Apr 01 12:16:57 master kubelet[10614]: E0401 12:16:57.238125   10614 pod_workers.go:190] Error syncing pod 26ead5e19e83a1d9426b732dc183b75d ("kube-controller-manager-master_kube-system(26ead5e19e83a1d9426b732dc183b75d)"), skipping: failed to "StartContainer" for "kube-controller-manager" with CrashLoopBackOff: "Back-off 5m0s restarting failed container=kube-controller-manager pod=kube-controller-manager-master_kube-system(26ead5e19e83a1d9426b732dc183b75d)"
Apr 01 12:16:59 master kubelet[10614]: E0401 12:16:59.238970   10614 pod_workers.go:190] Error syncing pod 448824ad8c321fa307186a36765b0ee4 ("kube-scheduler-master_kube-system(448824ad8c321fa307186a36765b0ee4)"), skipping: failed to "StartContainer" for "kube-scheduler" with CrashLoopBackOff: "Back-off 5m0s restarting failed container=kube-scheduler pod=kube-scheduler-master_kube-system(448824ad8c321fa307186a36765b0ee4)"

How it is possible to disable Kubernetes SSL communication and debug it for development?

E235
  • 11,560
  • 24
  • 91
  • 141

1 Answers1

3

The scheduler and controller manager did not start after you added --insecure-bind-address because this flag is not supported by these two components. So you remove it and the deployment should work.

You can verify this by running below command to check logs and you should see an error unknown flag: --insecure-bind-address

kubectl logs kube-controller-manager-master_kube-system -n kube-system

kubectl logs kube-scheduler-master_kube-system -n kube-system

Edit:

For http communication between API Server and kubelet you can set --kubelet-https to false in API Server.

Arghya Sadhu
  • 41,002
  • 9
  • 78
  • 107
  • OK, so with `insecure-port` disabled I can see what is being send to the API server but I still don't see what is being sent between the API server to the to the kubelet on the worker. – E235 Apr 01 '20 at 14:38
  • for that you can set API Server flag --kubelet-https to false – Arghya Sadhu Apr 01 '20 at 15:26