Security
1) View Certificate Details
2) Certificates API
3) KubeConfig
4) Role Based Access Controls
5) Cluster Roles
6) Service Accounts
7) Image Security
8) Security Contexts
9) Network Policies
01. Identify the certificate file used for the kube-api server
ask : /etc/kubernetes/pki/apiserver.crt
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
root@controlplane:~# cat /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.69.65.6:6443
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.69.65.6
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
image: k8s.gcr.io/kube-apiserver:v1.20.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 10.69.65.6
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: kube-apiserver
readinessProbe:
failureThreshold: 3
httpGet:
host: 10.69.65.6
path: /readyz
port: 6443
scheme: HTTPS
periodSeconds: 1
timeoutSeconds: 15
resources:
requests:
cpu: 250m
startupProbe:
failureThreshold: 24
httpGet:
host: 10.69.65.6
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/ca-certificates
name: etc-ca-certificates
readOnly: true
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
- mountPath: /usr/local/share/ca-certificates
name: usr-local-share-ca-certificates
readOnly: true
- mountPath: /usr/share/ca-certificates
name: usr-share-ca-certificates
readOnly: true
hostNetwork: true
priorityClassName: system-node-critical
volumes:
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/ca-certificates
type: DirectoryOrCreate
name: etc-ca-certificates
- hostPath:
path: /etc/kubernetes/pki
type: DirectoryOrCreate
name: k8s-certs
- hostPath:
path: /usr/local/share/ca-certificates
type: DirectoryOrCreate
name: usr-local-share-ca-certificates
- hostPath:
path: /usr/share/ca-certificates
type: DirectoryOrCreate
name: usr-share-ca-certificates
status: {}02. Identify the Certificate file used to authenticate kube-apiserver as a client to ETCD Server
1) /etc/kubernetes/pki/apiserver-kubelet-client.crt
2) /etc/kubernetes/pki/apiserver-etcd-client.key
3) /etc/kubernetes/pki/apiserver-etcd-client.crt
4) /etc/kubernetes/pki/apiserver-etcd.crt
5) /etc/kubernetes/pki/apiserver.crt
03. Identify the key used to authenticate kubeapi-server to the kubelet server
1) /etc/kubernetes/pki/apiserver.key
2) /etc/kubernetes/pki/apiserver-etcd-client.key
3) /etc/kubernetes/pki/apiserver-kubelet-client.crt
4) /etc/kubernetes/pki/apiserver-kubelet-client.key
5) /etc/kubernetes/pki/front-proxy-client.key
04. Identify the ETCD Server Certificate used to host ETCD server
1) /etc/kubernetes/pki/etcd/server.crt
2) /etc/kubernetes/pki/apiserver-etcd-client.crt
3) /etc/kubernetes/pki/apiserver.crt
4) /etc/kubernetes/pki/etcd/ca.crt
05. Identify the ETCD Server CA Root Certificate used to serve ETCD Server
ETCD can have its own CA.
So this may be a different CA certificate than the one used by kube-api server.
ETCD는 자체 CA를 가질 수 있습니다.
따라서 이것은 kube-api 서버에서 사용하는 것과 다른 CA 인증서일 수 있습니다.
--etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
1) /etc/kubernetes/pki/etcd/ca.crt
2) /etc/kubernetes/pki/etcd/server.crt
3) /etc/kubernetes/pki/ca.crt
4) /etc/kubernetes/pki/apiserver-kubelet-client.crt
06. What is the Common Name (CN) configured on the Kube API Server Certificate?
# OpenSSL Syntax:
openssl x509 -in file-path.crt -text -noout1) kube-apiserver
2) kubernetes
3) kube-api-server
4) api-server
5) kubeapi-server
# hint
Run the command
openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
and look for Subject CN.root@controlplane:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1240023554049144563 (0x113572da3c3776f3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Jan 24 05:29:27 2022 GMT
Not After : Jan 24 05:29:27 2023 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:da:2a:26:28:72:46:05:f7:4d:19:f1:3e:c8:5e:
f9:b6:51:be:f0:3d:01:09:28:d7:c9:13:4a:a7:b8:
ce:1a:d2:f1:34:fc:7d:84:11:86:9b:ee:32:f7:4e:
69:8a:9e:70:d7:1e:eb:84:a1:df:d4:a4:c8:2c:8a:
2b:15:82:11:5d:5d:68:cb:4e:a0:10:2b:0d:e8:59:
74:98:8f:80:19:3c:33:e8:43:e7:64:e9:0b:39:a1:
df:3c:2f:28:b8:1c:8c:58:12:fe:6e:6b:ae:92:02:
aa:b4:a5:19:cb:11:e2:70:12:1b:a6:db:36:ec:8b:
bb:61:dd:63:d2:e3:7c:9e:ff:7c:2a:4a:a0:60:a5:
e2:d9:5a:9a:f0:0e:7a:1d:eb:9c:b2:d9:fc:b5:fa:
f1:d1:07:d0:25:e2:79:ce:86:e2:f6:01:33:37:63:
d6:4a:98:fb:06:35:4f:ce:4d:03:82:d7:6f:33:91:
e9:cd:38:31:81:47:35:9b:d0:13:1c:3e:80:59:47:
8a:ee:6d:47:b3:ab:e0:33:63:51:59:06:00:ce:be:
b4:d1:ec:a4:32:71:82:0f:c3:b4:4e:82:13:25:79:
50:12:40:2d:6a:a2:b4:40:91:5d:ea:c8:33:bf:c4:
8d:dd:15:d9:ba:ae:b8:dc:cd:9d:94:5f:e5:56:a3:
ce:af
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Authority Key Identifier:
keyid:DA:5B:FB:5D:D9:30:8C:74:DC:CD:CF:7A:81:61:C7:30:26:52:F3:AA
X509v3 Subject Alternative Name:
DNS:controlplane, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:10.69.65.6
Signature Algorithm: sha256WithRSAEncryption
6e:2f:d6:45:93:3a:a3:8b:d3:c4:db:cc:5f:ee:ef:cd:11:5f:
28:24:19:97:cf:eb:bf:79:83:1a:45:2d:68:d6:10:94:90:f9:
ff:fc:ed:c4:8c:00:ba:20:18:e3:89:9e:25:74:67:d6:80:09:
54:b0:7b:a8:b4:0c:1b:7f:b0:27:a5:d8:6e:84:f2:29:12:6b:
06:b6:a0:f7:ba:22:32:bf:63:b4:ec:b8:a6:c5:3d:ce:36:2b:
7e:5b:96:05:c9:57:8e:74:00:5d:01:a0:0b:61:03:5f:15:a9:
28:bf:b5:3b:61:12:78:c4:f2:fd:d5:e5:22:e3:ab:6a:43:f6:
c8:96:11:d7:27:12:a1:67:67:5e:9f:1e:8e:dc:60:7b:9a:ed:
c6:e9:b9:3f:80:c2:c2:96:26:fe:1a:50:0e:bc:1a:9c:94:8c:
15:b9:48:e1:07:9e:ce:8a:8e:f5:ab:59:60:e3:c8:cb:66:76:
44:48:ce:dd:f4:d8:b1:ec:4c:35:8e:b8:d0:b7:36:fd:3e:6a:
1c:0b:76:5d:f1:fe:03:ba:1e:cd:db:d9:e5:9c:d4:3c:01:14:
5b:5b:af:69:38:15:f7:63:79:57:fc:06:0b:eb:0b:c1:88:36:
03:24:c2:70:5e:56:9d:34:0e:7c:7d:0b:a4:c3:9c:2e:7e:80:
3a:0d:70:3d
-----BEGIN CERTIFICATE-----
MIIDfjCCAmagAwIBAgIIETVy2jw3dvMwDQYJKoZIhvcNAQELBQAwFTETMBEGA1UE
AxMKa3ViZXJuZXRlczAeFw0yMjAxMjQwNTI5MjdaFw0yMzAxMjQwNTI5MjdaMBkx
FzAVBgNVBAMTDmt1YmUtYXBpc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA2iomKHJGBfdNGfE+yF75tlG+8D0BCSjXyRNKp7jOGtLxNPx9hBGG
m+4y905pip5w1x7rhKHf1KTILIorFYIRXV1oy06gECsN6Fl0mI+AGTwz6EPnZOkL
OaHfPC8ouByMWBL+bmuukgKqtKUZyxHicBIbpts27Iu7Yd1j0uN8nv98KkqgYKXi
2Vqa8A56Heucstn8tfrx0QfQJeJ5zobi9gEzN2PWSpj7BjVPzk0DgtdvM5HpzTgx
gUc1m9ATHD6AWUeK7m1Hs6vgM2NRWQYAzr600eykMnGCD8O0ToITJXlQEkAtaqK0
QJFd6sgzv8SN3RXZuq643M2dlF/lVqPOrwIDAQABo4HNMIHKMA4GA1UdDwEB/wQE
AwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNVHSMEGDAWgBTaW/td2TCMdNzN
z3qBYccwJlLzqjCBgQYDVR0RBHoweIIMY29udHJvbHBsYW5lggprdWJlcm5ldGVz
ghJrdWJlcm5ldGVzLmRlZmF1bHSCFmt1YmVybmV0ZXMuZGVmYXVsdC5zdmOCJGt1
YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcECmAAAYcECkVBBjAN
BgkqhkiG9w0BAQsFAAOCAQEAbi/WRZM6o4vTxNvMX+7vzRFfKCQZl8/rv3mDGkUt
aNYQlJD5//ztxIwAuiAY44meJXRn1oAJVLB7qLQMG3+wJ6XYboTyKRJrBrag97oi
Mr9jtOy4psU9zjYrfluWBclXjnQAXQGgC2EDXxWpKL+1O2ESeMTy/dXlIuOrakP2
yJYR1ycSoWdnXp8ejtxge5rtxum5P4DCwpYm/hpQDrwanJSMFblI4QeezoqO9atZ
YOPIy2Z2REjO3fTYsexMNY640Lc2/T5qHAt2XfH+A7oezdvZ5ZzUPAEUW1uvaTgV
92N5V/wGC+sLwYg2AyTCcF5WnTQOfH0LpMOcLn6AOg1wPQ==
-----END CERTIFICATE-----07. What is the name of the CA who issued the Kube API Server Certificate?
1) kubernetes-ca
2) kube-apiserver
3) ca
4) kubernetes
08. Which of the below alternate names is not configured on the Kube API Server Certificate?
다음 중 Kube API 서버 인증서에 구성되지 않은 대체 이름은 무엇입니까?
1) controlplane
2) kubernetes
3) kube-master
4) kubernetes.default.svc
09. What is the Common Name (CN) configured on the ETCD Server certificate?
1) kubernetes
2) controlplane
3) etcd-server
4) etcd
root@controlplane:~# openssl x509 -in /etc/kubernetes/pki/etcd/server.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4694542830210728097 (0x41265dd4d19140a1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = etcd-ca
Validity
Not Before: Jan 24 05:29:28 2022 GMT
Not After : Jan 24 05:29:28 2023 GMT
Subject: CN = controlplane
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:40:00:67:00:70:f4:20:f5:c5:85:68:bb:70:
43:cc:f0:6e:c9:6e:98:aa:5b:cf:6e:f5:4f:8b:b1:
e0:8a:e7:7c:5e:67:b9:b1:79:8a:69:35:fe:0a:ee:
da:37:6e:6f:f3:4f:78:78:f6:55:1d:c4:ea:eb:e9:
e2:44:71:62:d5:3c:fa:39:94:c4:e4:83:65:ad:0d:
9b:73:32:23:ef:9d:1f:44:36:a1:eb:92:54:93:4a:
22:c0:e4:99:b3:0c:fa:8c:81:51:d1:b7:e9:b9:ad:
61:15:af:d9:9a:9b:26:de:27:e8:b6:18:89:af:b3:
f6:85:63:ec:03:75:ca:41:02:df:f2:b8:8d:ab:0d:
e5:2d:0a:f1:c3:0d:05:d3:b9:a2:25:6d:25:13:03:
d7:86:66:1e:55:9a:70:b7:75:fc:e6:2a:f4:02:1b:
59:d6:3e:21:ab:d8:63:1d:91:50:5c:30:de:2e:f8:
fb:a7:16:61:b6:e9:bd:a3:b6:e2:bc:d6:71:73:42:
e1:ec:d5:75:bc:64:6f:ea:a4:a1:cd:c2:29:13:ae:
7d:46:4d:90:4e:ae:3d:e4:64:9d:1e:ac:20:98:53:
c9:aa:d2:41:99:66:06:55:ae:63:50:79:4c:e7:77:
b6:08:3c:fb:9d:d7:a6:95:95:4d:d3:63:8e:39:d3:
33:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Authority Key Identifier:
keyid:70:E5:C0:B6:2D:D4:3F:73:8C:3B:1B:41:0E:D1:EB:45:95:15:4F:45
X509v3 Subject Alternative Name:
DNS:controlplane, DNS:localhost, IP Address:10.69.65.6, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Signature Algorithm: sha256WithRSAEncryption
83:c5:e4:6f:6f:37:2d:e6:22:cc:61:fc:e3:56:63:c9:d6:1c:
bd:d0:0b:d6:90:46:12:fd:7d:3f:45:d1:75:c6:c0:11:0d:03:
21:4a:c4:af:e5:82:33:24:19:d4:b2:35:68:91:0d:48:1e:43:
34:44:d0:25:92:61:af:32:f8:b1:5c:68:7f:df:5c:c9:d2:49:
6e:c0:43:47:7f:70:bf:79:4b:8b:b5:4f:8e:4c:38:56:9e:c8:
60:78:c3:87:97:07:75:6c:1f:91:fe:6c:65:1a:1c:20:72:b8:
75:cf:4d:f4:9c:e2:ff:ef:78:f3:e9:e7:a8:d2:2b:c5:e9:90:
4e:23:1a:18:2e:8e:04:1f:63:fd:6e:70:e0:ae:15:3f:e9:39:
96:1b:a7:cc:71:42:d2:41:19:8d:5b:2d:57:ae:1f:7a:cd:7e:
e2:c6:4c:fd:56:09:7a:15:cb:80:0d:e7:8e:b5:94:c0:7b:8c:
54:ab:84:81:b7:34:10:38:d1:a1:a3:70:fd:ea:72:91:cf:16:
2d:6b:c5:71:77:24:e8:e4:00:10:a2:2d:13:1e:06:95:15:c5:
24:4c:75:d7:6f:bc:05:70:95:67:f2:51:e9:9b:f5:ed:dc:f4:
ae:2c:5c:5a:a8:b2:4d:eb:72:43:3c:bc:35:b6:95:37:8e:e7:
5e:c8:3b:f2
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgIIQSZd1NGRQKEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UE
AxMHZXRjZC1jYTAeFw0yMjAxMjQwNTI5MjhaFw0yMzAxMjQwNTI5MjhaMBcxFTAT
BgNVBAMTDGNvbnRyb2xwbGFuZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAMRAAGcAcPQg9cWFaLtwQ8zwbslumKpbz271T4ux4IrnfF5nubF5imk1/gru
2jdub/NPeHj2VR3E6uvp4kRxYtU8+jmUxOSDZa0Nm3MyI++dH0Q2oeuSVJNKIsDk
mbMM+oyBUdG36bmtYRWv2ZqbJt4n6LYYia+z9oVj7AN1ykEC3/K4jasN5S0K8cMN
BdO5oiVtJRMD14ZmHlWacLd1/OYq9AIbWdY+IavYYx2RUFww3i74+6cWYbbpvaO2
4rzWcXNC4ezVdbxkb+qkoc3CKROufUZNkE6uPeRknR6sIJhTyarSQZlmBlWuY1B5
TOd3tgg8+53XppWVTdNjjjnTM50CAwEAAaOBlTCBkjAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFHDlwLYt
1D9zjDsbQQ7R60WVFU9FMEAGA1UdEQQ5MDeCDGNvbnRyb2xwbGFuZYIJbG9jYWxo
b3N0hwQKRUEGhwR/AAABhxAAAAAAAAAAAAAAAAAAAAABMA0GCSqGSIb3DQEBCwUA
A4IBAQCDxeRvbzct5iLMYfzjVmPJ1hy90AvWkEYS/X0/RdF1xsARDQMhSsSv5YIz
JBnUsjVokQ1IHkM0RNAlkmGvMvixXGh/31zJ0kluwENHf3C/eUuLtU+OTDhWnshg
eMOHlwd1bB+R/mxlGhwgcrh1z030nOL/73jz6eeo0ivF6ZBOIxoYLo4EH2P9bnDg
rhU/6TmWG6fMcULSQRmNWy1Xrh96zX7ixkz9Vgl6FcuADeeOtZTAe4xUq4SBtzQQ
ONGho3D96nKRzxYta8VxdyTo5AAQoi0THgaVFcUkTHXXb7wFcJVn8lHpm/Xt3PSu
LFxaqLJN63JDPLw1tpU3judeyDvy
-----END CERTIFICATE-----
10. How long, from the issued date, is the Kube-API Server Certificate valid for?
File: /etc/kubernetes/pki/apiserver.crt
ask : 1 Year
oot@controlplane:~# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1240023554049144563 (0x113572da3c3776f3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Jan 24 05:29:27 2022 GMT
Not After : Jan 24 05:29:27 2023 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:11. How long, from the issued date, is the Root CA Certificate valid for?
File: /etc/kubernetes/pki/ca.crt
ask : 10 years
12. Kubectl suddenly stops responding to your commands.
Check it out!
Someone recently modified the /etc/kubernetes/manifests/etcd.yaml file
Kubectl이 갑자기 명령에 응답하지 않습니다.
누군가 최근에 /etc/kubernetes/manifests/etcd.yaml 파일을 수정했습니다.
You are asked to investigate and fix the issue. Once you fix the issue wait for sometime for kubectl to respond. Check the logs of the ETCD container.
문제를 조사하고 해결해 달라는 요청을 받았습니다. 문제를 해결하면 kubectl이 응답할 때까지 기다리십시오. ETCD 컨테이너의 로그를 확인하십시오.
- Fix the kube-api server
# hint
Inspect the --cert-file option in the manifests file.
# solution
The certificate file used here is incorrect.
It is set to /etc/kubernetes/pki/etcd/server-certificate.crt which does not exist.
As we saw in the previous questions the correct path should be
/etc/kubernetes/pki/etcd/server.crt.
root@controlplane:~# ls -l /etc/kubernetes/pki/etcd/server* | grep .crt
-rw-r--r-- 1 root root 1188 May 20 00:41 /etc/kubernetes/pki/etcd/server.crt
root@controlplane:~#
Update the YAML file with the correct certificate path and wait for the
ETCD pod to be recreated. wait for the kube-apiserver to get to a Ready state.
NOTE: It may take a few minutes for the kubectl commands to work again
so please be patient.
13. The kube-api server stopped again! Check it out.
Inspect the kube-api server logs and identify the root cause and fix the issue.
Run docker ps -a command to identify the kube-api server container.
Run docker logs container-id command to view the logs.
- Fix the kube-api server
ETCD has its own CA. The right CA must be used for the ETCD-CA file in
/etc/kubernetes/manifests/kube-apiserver.yaml
If we inspect the kube-apiserver container on the controlplane,
we can see that it is frequently exiting.
root@controlplane:~# docker ps -a | grep kube-apiserver
8af74bd23540 ca9843d3b545 "kube-apiserver --ad…" 39 seconds ago Exited (1) 17 seconds ago k8s_kube-apiserver_kube-apiserver-controlplane_kube-system_f320fbaff7813586592d245912262076_4
c9dc4df82f9d k8s.gcr.io/pause:3.2 "/pause" 3 minutes ago Up 3 minutes k8s_POD_kube-apiserve-controlplane_kube-system_f320fbaff7813586592d245912262076_1
root@controlplane:~#
If we now inspect the logs of this exited container,
we would see the following errors:
root@controlplane:~# docker logs 8af74bd23540 --tail=2
W0520 01:57:23.333002 1 clientconn.go:1223] grpc: addrConn.createTransport
failed to connect to {https://127.0.0.1:2379 <nil> 0 <nil>}.
Err :connection error: desc = "transport: authentication handshake failed: x509:
certificate signed by unknown authority". Reconnecting...
Error: context deadline exceeded
root@controlplane:~#
This indicates an issue with the ETCD CA certificate used by the kube-apiserver.
Correct it to use the file /etc/kubernetes/pki/etcd/ca.crt.
Once the YAML file has been saved, wait for the kube-apiserver pod to be Ready.
This can take a couple of minutes.root@controlplane:/etc/kubernetes/manifests# cat kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 10.69.65.6:6443
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=10.69.65.6
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --insecure-port=0
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
image: k8s.gcr.io/kube-apiserver:v1.20.0
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 8
httpGet:
host: 10.69.65.6
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
name: kube-apiserver
readinessProbe:
failureThreshold: 3
httpGet:
host: 10.69.65.6
path: /readyz
port: 6443
scheme: HTTPS
periodSeconds: 1
timeoutSeconds: 15
resources:
requests:
cpu: 250m
startupProbe:
failureThreshold: 24
httpGet:
host: 10.69.65.6
path: /livez
port: 6443
scheme: HTTPS
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
volumeMounts:
- mountPath: /etc/ssl/certs
name: ca-certs
readOnly: true
- mountPath: /etc/ca-certificates
name: etc-ca-certificates
readOnly: true
- mountPath: /etc/kubernetes/pki
name: k8s-certs
readOnly: true
- mountPath: /usr/local/share/ca-certificates
name: usr-local-share-ca-certificates
readOnly: true
- mountPath: /usr/share/ca-certificates
name: usr-share-ca-certificates
readOnly: true
hostNetwork: true
priorityClassName: system-node-critical
volumes:
- hostPath:
path: /etc/ssl/certs
type: DirectoryOrCreate
name: ca-certs
- hostPath:
path: /etc/ca-certificates
type: DirectoryOrCreate
name: etc-ca-certificates
- hostPath:
path: /etc/kubernetes/pki
type: DirectoryOrCreate
name: k8s-certs
- hostPath:
path: /usr/local/share/ca-certificates
type: DirectoryOrCreate
name: usr-local-share-ca-certificates
- hostPath:
path: /usr/share/ca-certificates
type: DirectoryOrCreate
name: usr-share-ca-certificates
status: {}'CKA (Certified Kubernetes Administrator) > Kode Kloud' 카테고리의 다른 글
| 07.Storage - Storage Class (0) | 2022.01.25 |
|---|---|
| 07.Storage - Persistent Volume Claims (0) | 2022.01.25 |
| 05.Cluster Maintenance - Backup and Restore Methods (0) | 2022.01.24 |
| 05.Cluster Maintenance - Cluster Upgrade Process (0) | 2022.01.21 |
| 05.Cluster Maintenance - OS Upgrades (0) | 2022.01.21 |