search

kubernetes-sigs / metrics-server

Scalable and efficient source of container resource metrics for Kubernetes built-in autoscaling pipelines.
https://kubernetes.io/docs/tasks/debug-application-cluster/resource-metrics-pipeline/
Apache License 2.0
5.86k stars 1.88k forks source link

Correct configuration for "the hard way" / manual configuration? Error: failed to verify certificate [...] doesn't contain any IP SANs #1588

Open erikschul opened 4 weeks ago

erikschul commented 4 weeks ago

Given that numerous people seem to fail to configure metrics-server without disabling TLS verification, I was hoping that you would help documenting how to configure it correctly when configuring Kubernetes manually (without kubeadm).

Error:

"Failed to scrape node" err="Get \"https://[1.2.3.4]:10250/metrics/resource\": tls: failed to verify certificate: x509: cannot validate certificate for [1.2.3.4] because it doesn't contain any IP SANs

I've tried creating a cluster-ca signed ca.crt/tls.key/tls.crt for metrics-server:

--kubelet-client-certificate=/certs/tls.crt
--kubelet-client-key=/certs/tls.key
--kubelet-certificate-authority=/certs/ca.crt

Node certificate:


Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ...
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = X, ST = X, L = X, O = " CA", OU = X, CN = CA
        Validity
            Not Before: Oct 10 17:04:00 2024 GMT
            Not After : Oct  8 17:04:00 2034 GMT
        Subject: C = X, ST = X, L = X, O = system:nodes, OU = X, CN = system:node:node0
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    ...
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                ...
            X509v3 Authority Key Identifier: 
                ...
            X509v3 Subject Alternative Name: 
                DNS:node0, IP Address:[1.2.3.4]
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
      ...

KubeletConfiguration:

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 0s
    enabled: true
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.pem
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 0s
    cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
  - 10.96.0.10
clusterDomain: "{{cluster_domain}}"
containerRuntimeEndpoint: "unix:///var/run/containerd/containerd.sock"
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
logging:
  flushFrequency: 0
  options:
    json:
      infoBufferSize: "0"
  verbosity: 1
  format: json
memorySwap: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s
serializeImagePulls: false
maxParallelImagePulls: 3

/etc/kubernetes/kubelet.conf

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ...
    server: https://127.0.0.1:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: system:node:node0
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: system:node:node0
  user:
    client-certificate-data: ...
    client-key-data: ...
k8s-ci-robot commented 4 weeks ago

This issue is currently awaiting triage.

If metrics-server contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.