Kube-Scheduler 和 Kube-Controller-Manager 证书是否需要hosts字段 ？？

[NoMoneyToRaisePigs]

文档版本 K8S v1.16

现象描述 只是好奇问一下，网上找不到我想要的答案，scheduler和controller manager的cfssl生成的证书csr请求里有hosts字段，如果scheduler和controller只是作为client访问api-server而不对外提供任何服务，是否还需要提供hosts字段？？

还是我理解有误？其实scheduler和controller也需要对方提供https访问需求？据我所知他们只访问api-server而不对外提供服务.

[dyrnq]

You can refer to kube-scheduler POD && kube-controller POD installed and configed by kubeadm they have host localhost and 127.0.0.1 at least

check on my k8s cluster installed by kubeadm

echo | openssl s_client -showcerts -connect 127.0.0.1:10259 2>/dev/null | openssl x509 -noout -text | grep -A5 'X509v3 Subject'
            X509v3 Subject Alternative Name:
                DNS:localhost, IP Address:127.0.0.1, IP Address:127.0.0.1

echo | openssl s_client -showcerts -connect 127.0.0.1:10257 2>/dev/null | openssl x509 -noout -text | grep -A5 'X509v3 Subject'
            X509v3 Subject Alternative Name:
                DNS:localhost, IP Address:127.0.0.1, IP Address:127.0.0.1

[dyrnq]

supplement

there have two kind of cert : one is client of kube-apiserver (configed in /etc/kubernetes/controller-manager.conf client-certificate-data:) antoher is self server tls by options --tls-cert-file and --tls-private-key-file

sometimes they can be combined and used :)

[NoMoneyToRaisePigs]

@dyrnq Thanks for your reply, so those basically means the kube-controller-manager and kube-scheduler do not serve others except for themselves, as you said "self server tls", and the SAN of localhost and 127.0.0.1 are for the purpose of self serving, aren't they ?

[dyrnq]

YES，self server tls SAN of localhost and 127.0.0.1 for https health check