No certificate returned from internal Azure AKS api-server

1
votes

On a newly created AKS cluster we're having trouble with pods setting up k8s resources (calling https://10.0.0.1:443/api/v1/namespaces/kube-system/...). Error being timed out TLS handshake to the api. By login in to the pod an using OpenSSL I can see there are no certificates returned from the server.

openssl s_client -connect 10.0.0.1:443
CONNECTED(00000003)

write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

We've tried upgrading etc, but to no avail. Any tips on how we can recreate these certificates?

2
azureazure-aks

2 Answers

0
votes

We have now solved this issue. For other facing this issue it was actually a Firewall issue. We have an Azure firewall in the network and we had a ApplicationNetworkRule allowing http and https egress traffic. The Application rule blocked all k8s certs due to failed SNI. Changing FW rules to a network rule on port 80/443 solved the problem

0
votes

Just in case anyone comes across this, I had this issue and was receiving the following error:

HTTPS request from 10.240.0.4:49379. Action: Deny. Reason: SNI TLS extension was missing.

To fix this I had to add a Network Rule with the IP address of my API server (*.hcp.REGION.azmk8s.io) with port 443 set to Allow.