In 15-smoke-test.md for worker-node 2 I get certificate signed by unknown authority error

mmumshad / kubernetes-the-hard-way

Bootstrap Kubernetes the hard way on Vagrant on Local Machine. No scripts.

Apache License 2.0

4.6k stars 4.48k forks source link

In 15-smoke-test.md for worker-node 2 I get certificate signed by unknown authority error #275

Closed johncleveland closed 2 years ago

johncleveland commented 2 years ago

In 15-smoke-test.md, if I try kubectl logs $POD_NAME I get Error from server: Get https://worker-2:10250/containerLogs/default/nginx-5c7588df-qnjb5/nginx: x509: certificate signed by unknown authority

There is a problem with the instructions for TLS Bootstrapping for worker node2.

Please advise, Thanks

codecio commented 2 years ago

Ran into this as well.

simonc6372 commented 2 years ago

This is due to the security problems of auto-signing a server cert. See the "note" section here https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/#certificate-rotation

The fix is to create manual key & certificate and store them in /var/lib/kubelet/pki/kubelet.crt and /var/lib/kubelet/pki/kubelet.key

fireflycons commented 2 years ago

Hi @johncleveland @codecio @simonc6372

We have now merged a major change to bring this to v1.24. This has been addressed as part of the upgrade. Please try it now and feel free to raise further issues.

Regarding worker-2, the idea is not to create manual certificates. With TLS bootstrapping, the cluster issues the certs to the new worker.