Kubeadm repeats the IP and domain name when creating the certificate

[system51]

Is this a request for help?

yup

What keywords did you search in kubeadm issues before filing this one?

I tried before

Is this a BUG REPORT or FEATURE REQUEST?

BUG

Versions

kubeadm version (use kubeadm version):

kubeadm version: &version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.6", GitCommit:"7015f71e75f670eb9e7ebd4b5749639d42e20079", GitTreeState:"clean", BuildDate:"2019-12-05T07:57:05Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Kubernetes version (use kubectl version):

  Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.6", GitCommit:"7015f71e75f670eb9e7ebd4b5749639d42e20079", GitTreeState:"clean", BuildDate:"2019-11-13T11:20:18Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}
  Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.6", GitCommit:"7015f71e75f670eb9e7ebd4b5749639d42e20079", GitTreeState:"clean", BuildDate:"2019-11-13T11:11:50Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}

• Cloud provider or hardware configuration:

  Virtualization: vmware

• OS (e.g. from /etc/os-release):

  
  NAME="CentOS Linux"
  VERSION="7 (Core)"
  ID="centos"
  ID_LIKE="rhel fedora"
  VERSION_ID="7"
  PRETTY_NAME="CentOS Linux 7 (Core)"
  ANSI_COLOR="0;31"
  CPE_NAME="cpe:/o:centos:centos:7"
  HOME_URL="https://www.centos.org/"
  BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7"

- **Kernel** (e.g. `uname -a`):

[root@k8s-m1 pki]# uname -a Linux k8s-m1 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

- **Others**:
nothing

## What happened?
The certificate generated when I used this custom initialization profile has duplicate IP and domain names

openssl x509 -in apiserver.crt -text -noout

    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication
        X509v3 Subject Alternative Name: 
            DNS:k8s-m1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, DNS:localhost, DNS:k8s-m1, DNS:k8s-m2, DNS:k8s-m3, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:10.15.1.17, IP Address:10.15.1.250, IP Address:10.96.0.1, IP Address:127.0.0.1, IP Address:10.15.1.250, IP Address:10.15.1.17, IP Address:10.15.1.18, IP Address:10.15.1.19

## What you expected to happen?
I don't want him to have duplicate IPs and domain names

## How to reproduce it (as minimally and precisely as possible)?
Use the following initialization file to build a cluster

apiVersion: kubeadm.k8s.io/v1beta2 kind: ClusterConfiguration imageRepository: gcr.azk8s.cn/google_containers kubernetesVersion: v1.15.6 certificatesDir: /etc/kubernetes/pki clusterName: kubernetes networking: dnsDomain: cluster.local serviceSubnet: 10.96.0.0/12 podSubnet: 10.244.0.0/16 controlPlaneEndpoint: 10.15.1.250:8443 apiServer: # https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2#APIServer timeoutForControlPlane: 4m0s extraArgs: authorization-mode: "Node,RBAC" enable-admission-plugins: "NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeClaimResize,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Priority,PodPreset" runtime-config: api/all,settings.k8s.io/v1alpha1=true storage-backend: etcd3 etcd-servers: https://10.15.1.17:2379,https://10.15.1.18:2379,https://10.15.1.19:2379 etcd-cafile: /etc/kubernetes/pki/etcd/ca.crt etcd-certfile: /etc/kubernetes/pki/apiserver-etcd-client.crt etcd-keyfile: /etc/kubernetes/pki/apiserver-etcd-client.key certSANs:

• 10.96.0.1
• 127.0.0.1
• 10.15.1.250
• localhost
• 10.15.1.17
• 10.15.1.18
• 10.15.1.19
• k8s-m1
• k8s-m2
• k8s-m3
• kubernetes
• kubernetes.default
• kubernetes.default.svc
• kubernetes.default.svc.cluster.local extraVolumes:
• hostPath: /etc/localtime mountPath: /etc/localtime name: localtime readOnly: true controllerManager: extraArgs: bind-address: "0.0.0.0" extraVolumes:
• hostPath: /etc/localtime mountPath: /etc/localtime name: localtime readOnly: true scheduler: extraArgs: bind-address: "0.0.0.0" extraVolumes:
• hostPath: /etc/localtime mountPath: /etc/localtime name: localtime readOnly: true dns: type: CoreDNS etcd: external: endpoints:
  • https://10.15.1.17:2379
  • https://10.15.1.18:2379

  • https://10.15.1.19:2379 caFile: /etc/kubernetes/pki/etcd/ca.crt certFile: /etc/kubernetes/pki/apiserver-etcd-client.crt keyFile: /etc/kubernetes/pki/apiserver-etcd-client.key

    apiVersion: kubeproxy.config.k8s.io/v1alpha1 kind: KubeProxyConfiguration mode: ipvs # or iptables ipvs: excludeCIDRs: null minSyncPeriod: 0s scheduler: "rr" strictARP: false syncPeriod: 15s iptables: masqueradeAll: true masqueradeBit: 14 minSyncPeriod: 0s syncPeriod: 30s

    apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration cgroupDriver: systemd failSwapOn: true

## Anything else we need to know?
nothing

[neolit123]

the duplication happens because you are defining them here:

  certSANs:
  - 10.96.0.1 
  - 127.0.0.1 
  - 10.15.1.250
  - localhost
  - 10.15.1.17
  - 10.15.1.18
  - 10.15.1.19
  - k8s-m1
  - k8s-m2
  - k8s-m3 
  - kubernetes
  - kubernetes.default 
  - kubernetes.default.svc 
  - kubernetes.default.svc.cluster.local

try removing the ones that are duplicated from the above list and it should work

/triage support

[system51]

the duplication happens because you are defining them here:

  certSANs:
  - 10.96.0.1 
  - 127.0.0.1 
  - 10.15.1.250
  - localhost
  - 10.15.1.17
  - 10.15.1.18
  - 10.15.1.19
  - k8s-m1
  - k8s-m2
  - k8s-m3 
  - kubernetes
  - kubernetes.default 
  - kubernetes.default.svc 
  - kubernetes.default.svc.cluster.local

try removing the ones that are duplicated from the above list and it should work

/triage support

Since I use haproxy+keepalived to set up the high availability, if I delete the VIP address and these IP definitions, will it affect our use of the cluster?

[neolit123]

kubeadm already adds some of these.

[system51]

kubeadm already adds some of these.

Yes, I found that it had added some, and I tried to modify the certificate section definition in my initialization, but I found that one seemed to be missing kubernetes.default.svc.cluster 。I looked at PKI certificates and requirements in the official website best practices

  certSANs:
  - 127.0.0.1 
  - localhost
  - 10.15.1.18
  - 10.15.1.19
  - k8s-m2
  - k8s-m3 

[neolit123]

^ this list looks fine. kubernetes.default.svc.cluster is not required to be added on the kubeadm side.

i'm not convinced that we have a kubeadm bug here. /close

[k8s-ci-robot]

@neolit123: Closing this issue.

In response to [this](https://github.com/kubernetes/kubeadm/issues/1959#issuecomment-564024942): >^ this list looks fine. >`kubernetes.default.svc.cluster` is not required to be added on the kubeadm side. > >i'm not convinced that we have a kubeadm bug here. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.