kubemrr watch: x509: certificate signed by unknown authority

[kenden]

When running kubemerr wath test or kubemerr watch https://kube-test.myserver.net

I get: Error: failed to ping server: Get https://kube-test.myserver.net/: x509: certificate signed by unknown authority

I am using insecure-skip-tls-verify: true in the kubeconfig file.

Steps taken:

$ kubemrr watch test
{"level":"info","msg":"created client","server":"https://kube-test.myserver.net","time":"2017-03-09T16:19:53.229"}
Error: failed to ping server: Get https://kube-test.myserver.net/: x509: certificate signed by unknown authority

$ cat ~/.kube/config
apiVersion: v1
clusters:
  - cluster:
      certificate-authority: certs/ca.pem
      server: https://kube-test.myserver.net`
      insecure-skip-tls-verify: true
    name: kubernetes-test
contexts:
  - context:
      cluster: kubernetes-test
      namespace: default
      user: k8s-test-admin-user
    name: test_eu-west-1
current-context: prod_eu-west-1
kind: Config
preferences: {}
users:
  - name: k8s-test-admin-user
    user:
      client-certificate: certs/admin.pem
      client-key: certs/admin-key.pem

$ kubemrr watch https://kube-test.myserver.net
{"level":"info","msg":"created client","server":"https://kube-test.myserver.net","time":"2017-03-09T16:16:01.533"}
Error: failed to ping server: Get https://kube-test.myserver.net/: x509: certificate signed by unknown authority

Versions:

$ kubemrr
kubemrr-1.3.0
$ uname -a
Darwin apollo 16.4.0 Darwin Kernel Version 16.4.0: Thu Dec 22 22:53:21 PST 2016; root:xnu-3789.41.3~3/RELEASE_X86_64 x86_64
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"08e099554f3c31f6e6f07b448ab3ed78d0520507", GitTreeState:"clean", BuildDate:"2017-01-12T04:57:25Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2+coreos.1", GitCommit:"3ed7d0f453a5517245d32a9c57c39b946e578821", GitTreeState:"clean", BuildDate:"2017-01-18T01:43:45Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}

[marianogappa]

@kenden Could this be related to https://github.com/mkokho/kubemrr/issues/6?

[kenden]

@marianogappa That looks similar. My cluster is not on Azure, but I don't think it matters.

[Moulick]

I have kinda the same error, the cluster is on Amazon EKS. Is it possible to get this working on EKS?

Amazon EKS uses aws-iam-authenticator for auth in the cluster.

I am really interested in getting kubemrr working. This could really speedup my daily work

[Moulick]

Does kubemrr get its data via kubectl or is it API called to the server ? @mkokho

[marianogappa]

Does kubemrr get its data via kubectl or is it API called to the server ? @mkokho

API: https://github.com/mkokho/kubemrr/blob/master/app/kube_client.go#L76

[weibeld]

I get the same error on macOS for a clusters on Amazon EKS and GKE. It seems, the tool doesn't correctly recognise the API server CA certificate that is embedded in the kubeconfig file.

If in the kubeconfig file, I replace the certificate-authority-data: <DATA> field with insecure-skip-tls-verify: true, then the error is gone and the connection succeeds.

But then, there is an authorisation error:

Error: failed to ping server: unexpected status for GET https://34.73.33.83/: 403 Forbidden {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/\"","reason":"Forbidden","details":{},"code":403}

It seems the tool is using the system:anonymous user, and if your cluster uses RBAC, this user doesn't have permission to access most resources.

If I temporarily give full permissions to the system:anonymous user, the kubemrr watch command works, but completion for the individual resources (pods, services, etc.) doesn't work. It just displays the files in the current directory.