search

platform9 / cctl

Apache License 2.0
47 stars 8 forks source link

Create different CA for front-proxy #100

Closed dlipovetsky closed 6 years ago

dlipovetsky commented 6 years ago

The same CA is used for apiserver and front-proxy. This is against upstream documentation [0]:

Note: There are a few setup requirements for getting the aggregation layer working in your environment to support mutual TLS auth between the proxy and extension apiservers. Kubernetes and the kube-apiserver have multiple CAs, so make sure that the proxy is signed by the aggregation layer CA and not by something else, like the master CA.

And causes these warnings to flood the apiserver log:

{"log":"W0814 16:06:52.867689       1 x509.go:172] x509: subject with cn=system:kube-scheduler is not in the allowed list: [front-proxy-client]\n","stream":"stderr","time":"2018-08-14T16:06:52.869192486Z"}
{"log":"W0814 16:06:52.950017       1 x509.go:172] x509: subject with cn=system:kube-controller-manager is not in the allowed list: [front-proxy-client]\n","stream":"stderr","time":"2018-08-14T16:06:52.950325222Z"}
{"log":"W0814 16:06:52.957534       1 x509.go:172] x509: subject with cn=system:kube-controller-manager is not in the allowed list: [front-proxy-client]\n","stream":"stderr","time":"2018-08-14T16:06:52.957812681Z"}
{"log":"W0814 16:06:53.150775       1 x509.go:172] x509: subject with cn=system:kube-controller-manager is not in the allowed list: [front-proxy-client]\n","stream":"stderr","time":"2018-08-14T16:06:53.151039842Z"}
{"log":"W0814 16:06:54.874662       1 x509.go:172] x509: subject with cn=system:kube-scheduler is not in the allowed list: [front-proxy-client]\n","stream":"stderr","time":"2018-08-14T16:06:54.87504185Z"}
{"log":"W0814 16:06:54.878918       1 x509.go:172] x509: subject with cn=system:kube-scheduler is not in the allowed list: [front-proxy-client]\n","stream":"stderr","time":"2018-08-14T16:06:54.879200715Z"}
{"log":"W0814 16:06:54.964448       1 x509.go:172] x509: subject with cn=system:kube-controller-manager is not in the allowed list: [front-proxy-client]\n","stream":"stderr","time":"2018-08-14T16:06:54.965635138Z"}
{"log":"W0814 16:06:54.972591       1 x509.go:172] x509: subject with cn=system:kube-controller-manager is not in the allowed list: [front-proxy-client]\n","stream":"stderr","time":"2018-08-14T16:06:54.974010024Z"}

[0] https://kubernetes.io/docs/tasks/access-kubernetes-api/configure-aggregation-layer/

dlipovetsky commented 6 years ago

Same issue in another tool: https://github.com/kubernetes-incubator/kubespray/issues/2352