Open NoMoneyToRaisePigs opened 2 years ago
You can refer to kube-scheduler POD && kube-controller POD installed and configed by kubeadm
they have host localhost
and 127.0.0.1
at least
check on my k8s cluster installed by kubeadm
echo | openssl s_client -showcerts -connect 127.0.0.1:10259 2>/dev/null | openssl x509 -noout -text | grep -A5 'X509v3 Subject'
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, IP Address:127.0.0.1
echo | openssl s_client -showcerts -connect 127.0.0.1:10257 2>/dev/null | openssl x509 -noout -text | grep -A5 'X509v3 Subject'
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, IP Address:127.0.0.1
supplement
there have two kind of cert :
one is client of kube-apiserver (configed in /etc/kubernetes/controller-manager.conf client-certificate-data:)
antoher is self server tls by options --tls-cert-file
and --tls-private-key-file
sometimes they can be combined and used :)
@dyrnq Thanks for your reply, so those basically means the kube-controller-manager and kube-scheduler do not serve others except for themselves, as you said "self server tls", and the SAN of localhost and 127.0.0.1 are for the purpose of self serving, aren't they ?
YES,self server tls
SAN of localhost and 127.0.0.1 for https health check
文档版本 K8S v1.16
现象描述 只是好奇问一下,网上找不到我想要的答案,scheduler和controller manager的cfssl生成的证书csr请求里有hosts字段,如果scheduler和controller只是作为client访问api-server而不对外提供任何服务,是否还需要提供hosts字段??
还是我理解有误?其实scheduler和controller也需要对方提供https访问需求?据我所知他们只访问api-server而不对外提供服务.