Kubernetes kube-dns TLS certificate validation

0
votes

I'm using kubernetes v1.5.2, and have implemented api over tls. Problem is that while deploying kube-dns I'm getting message on minion as:

Mar 23 10:06:27 node01 journal: I0323 09:06:27.007407       1 dns.go:172]   Ignoring error while waiting for service default/kubernetes: Get  https://10.254.0.1:443/api/v1/namespaces/default/services/kubernetes: x509: cannot validate certificate for 10.254.0.1 because it doesn't contain any IP SANs. Sleeping 1s before retrying.

I've tried by using curl, from another pod and it fails without --insecure switch, whit it it is ok.

I understand that 10.254.0.1:443 actually serves certificate from master node (api on port 6443)(192.168.0.200), but how to resolve it, that 10.254.0.1 serves its valid certificate.

Here is description from clusterip api: [root@master01 dns]# kubectl describe service kubernetes Name: kubernetes Namespace: default Labels: component=apiserver provider=kubernetes Selector: Type: ClusterIP IP: 10.254.0.1 Port: https 443/TCP Endpoints: 192.168.2.200:6443 Session Affinity: ClientIP

Thanks Dubravko

1
dnskubernetes
Are you using a custom SSL certificate? How did you generate it?jaxxstorm
I'm using SAN certificates, how I have DNS:master01, DNS:master01.lab.cs, IP Address:192.160.2.200, IP Address:10.254.0.1dubravko sever
yes, I'm asking if you generated the certificate yourself.jaxxstorm

1 Answers

2
votes

If you're using the service IP your API server certificate must have IP:10.254.0.1 as a SAN.

Likewise if you reach the API using the service name kubernetes.default the certificate must have this name as a SAN.

A good practice is to request a certificate with at least the following SAN:

  • IP:(first IP of service CIDR)
  • DNS:kubernetes
  • DNS:kubernetes.default
  • DNS:kubernetes.default.svc
  • DNS:kubernetes.default.svc.cluster.local

Check this util script for reference: util.sh