Do you know why apiserver can't connect with kubelet with server's certificate and must use a new generated certificate to make it works?
在 2017年5月4日星期四 UTC+8下午5:01:12,Qian Zhang写道: > > I have figured it out, for kube-apiserver's flags " > --kubelet-client-certificate" and "--kubelet-client-key", I should > generate a pair of client cert/key rather than server's. > > > Regards, > Qian Zhang > > On Thu, May 4, 2017 at 10:41 AM, Qian Zhang <[email protected] > <javascript:>> wrote: > >> Thanks Brandon! >> >> 10255 is the "read-only" port, to disable it remove --read-only-port >>> from kubelet config. >> >> >> Based on https://kubernetes.io/docs/admin/kubelet/, I think, to disable >> it, I should set "--read-only-port" to 0. >> >> Now I have added these flags "--read-only-port=0 >> --client-ca-file=/var/lib/kubelet/ca.crt --authentication-token-webhook >> --anonymous-auth=false" to start kubelet, the command "curl --insecure >> https://<node-IP>:10250/spec/" does not work anymore (it shows an error >> "Unauthorized") which is what I expect, and I also restarted Heapster with >> this flag "--source=kubernetes.summary_api: >> https://kubernetes.default?kubeletHttps=true&kubeletPort=10250&insecure=true"; >> >> so that it can connect to kubelet's 10250 port. >> >> The only issue is that kube-apiserver can not connect to kubelet anymore: >> $ kubectl logs <pod-name> <container-name> --namespace=kube-system >> >> error: You must be logged in to the server (the server has asked for the >> client to provide credentials) >> >> I have specified " >> --kubelet-client-certificate=/etc/cfc/conf/server.cert >> --kubelet-client-key=/etc/cfc/conf/server.key" >> to start kube-apiserver, maybe the files I specified here are not correct? >> >> >> >> Regards, >> Qian Zhang >> >> On Thu, May 4, 2017 at 5:39 AM, Brandon Philips <[email protected] >> <javascript:>> wrote: >> >>> Oh, there are docs here too: >>> https://kubernetes.io/docs/admin/kubelet-authentication-authorization/ >>> >>> On Wed, May 3, 2017 at 1:35 PM Brandon Philips <[email protected] >>> <javascript:>> wrote: >>> >>>> Hello Qian- >>>> >>>> 10255 is the "read-only" port, to disable it remove --read-only-port >>>> from kubelet config. >>>> >>>> To configure authentication on the kubelet port use --client-ca-file. >>>> The API server has flags to authenticate using these CAs: >>>> https://github.com/coreos/tectonic-installer/blob/master/modules/bootkube/resources/manifests/kube-apiserver.yaml#L45-L46 >>>> >>>> Hope that helps. >>>> >>>> Brandon >>>> >>>> On Wed, May 3, 2017 at 7:38 AM Qian Zhang <[email protected] >>>> <javascript:>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I have a Kubernetes cluster, and currently the kubelet listens on two >>>>> ports: 10250 and 10255, if I understand correctly, 10250 serves https and >>>>> 10255 serves http. Now I can always run the following command to access >>>>> kubelet: >>>>> curl http://<node-IP>:10255/spec/ >>>>> And and this command even for the https port: >>>>> curl --insecure https://<node-IP>:10250/spec/ >>>>> >>>>> This is not secure to me, I do not want to expose http port, so I >>>>> think I should start kubelet with the flag "--read-only-port=0" to >>>>> disable >>>>> 10255, and for the https port (10250), I do not want anonymous user to >>>>> access it, and in the meantime I still want kube-apiserver can access >>>>> kubelet (e.g., when I run "kubectl logs ...", kube-apiserver can still >>>>> talk >>>>> to kubelet to get logs), and I also want Heapster (running as a >>>>> deployment >>>>> in my Kubernetes cluster) can still access kubelet to get metrics. Can >>>>> anyone please let me know what else flags I should specify to start >>>>> kubelet? >>>>> >>>>> >>>>> Thanks, >>>>> Qian >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Kubernetes user discussion and Q&A" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected] <javascript:>. >>>>> To post to this group, send email to [email protected] >>>>> <javascript:>. >>>>> Visit this group at https://groups.google.com/group/kubernetes-users. >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Kubernetes user discussion and Q&A" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/kubernetes-users/1cS3Wm9sETw/unsubscribe >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected] <javascript:>. >>> To post to this group, send email to [email protected] >>> <javascript:>. >>> Visit this group at https://groups.google.com/group/kubernetes-users. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
