Google cloud platform support

[renghen-p]

Hi How can I make it work with my k8s on google cloud, or any other cloud

[g3rzi]

Hi,

It depends how it was configured. Choose one of the nodes you want to check the kubelet inside them.
The default kubelet configuration is /var/lib/kubelet/config.yaml, open it and check two things:

1. authentication: anonymous: enabled: ? Is it set to true, false or neither?
2. authorization: mode: ? Is it set to AlwaysAllow, Webhook or other?

I assume that GKE uses the secured option which is authentication: anonymous: enabled: true and authorization: mode: Webhook, in this case you need to use user with permissions.

You can do it with the kubeconfig file which usually have the admin user like that:

kubeletctl -k ~/.kube/config -s <target_node_ip>

Another option is to user that have permissions and its certificates:

kubeletctl pods -s <node_ip> --cacert /etc/kubernetes/pki/ca.crt --cert <user_cert> --key <user_key>

Currently we are not support token authentication and authorization.

Let me know if it help you

[renghen]

I got a tls: failed to find any PEM data in certificate input

kinda lost here :(

[g3rzi]

Does it work if you use the kube config file?

[renghen]

no it does not, but kubectl works fine

I am kinda lost here

[g3rzi]

What are the settings of the /var/lib/kubelet/config.yaml ? Specifically the settings under authentication: anonymous: enabled: and authorization: mode:.

Can you show me the command your run + the output?

[renghen]

hi

I do not have a /var/lib/kubelet/config.yaml

and the command is kubeletctl configz -k ~/.kube/config the output is 2020/07/23 13:00:43 tls: failed to find any PEM data in certificate input

[g3rzi]

Can you verify your CA bundle (section of the certificates) in the config YAML is the base64-encoded version of the PEM-bundle (so that base-64-decoding what is in the YAML/JSON displays PEM content)?

Example, the certificate-authority-data, client-certificate-data and client-key-data should be in base64:

When you base64-decode the CA bundle content, do you get PEM content like this:

-----BEGIN CERTIFICATE-----
MIID...

[g3rzi]

@renghen Any update?

[renghen]

I do not have the users part for certificate. That is I do not have client-certificate-data

[g3rzi]

@renghen can you share the structure of your config file? Sorry for the late response, we were able to reproduce it and fix it. We found that the issue is caused by wrong data in the config file.

[g3rzi]

We are closing it for now. If it happens again, please share the structure of your config file, the problem seems to be with a wrong config structure or wrong PEM inside it.