Kubernetes cluster - node creating its own ca

Question

Score:0

Server

Kubernetes cluster - node creating its own ca

tinashe.chipomho

2/18/23, 9:16 PM

So I manually deployed my cluster and my api config is as follows:

[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes

[Service]
ExecStart=/usr/local/bin/kube-apiserver \
  --advertise-address=10.1.1.21 \
  --allow-privileged=true \
  --apiserver-count=2 \
  --audit-log-maxage=30 \
  --audit-log-maxbackup=3 \
  --audit-log-maxsize=100 \
  --log-dir=/var/log/kubernetes/ \
  --log-file=/var/log/kubernetes/kube-apiserver.log \
  --log-file-max-size=500 \
  --audit-log-path=/var/log/kubernetes/kube-apiserver-audit.log \
  --authorization-mode=Node,RBAC \
  --bind-address=0.0.0.0 \
  --client-ca-file=/etc/kubernetes/pki/ca/ca.crt \
  --enable-admission-plugins=NodeRestriction,ServiceAccount \
  --enable-bootstrap-token-auth=true \
  --etcd-cafile=/etc/kubernetes/pki/ca/ca.crt \
  --etcd-certfile=/etc/kubernetes/pki/etcd/etcd-server.crt \
  --etcd-keyfile=/etc/kubernetes/pki/etcd/etcd-server.key \
  --etcd-servers=https://master01:2379,https://master02:2379,https://master03:2379 \
  --event-ttl=1h \
  --encryption-provider-config=/var/lib/kubernetes/encryption-config.yaml \
  --kubelet-certificate-authority=/etc/kubernetes/pki/ca/ca.crt \
  --kubelet-client-certificate=/etc/kubernetes/pki/kube-apiserver.crt \
  --kubelet-client-key=/etc/kubernetes/pki/kube-apiserver.key \
  --runtime-config=api/all=true \
  --service-account-key-file=/etc/kubernetes/pki/service-account.crt \
  --service-cluster-ip-range=10.96.0.0/24 \
  --service-node-port-range=30000-32767 \
  --tls-cert-file=/etc/kubernetes/pki/kube-apiserver.crt \
  --tls-private-key-file=/etc/kubernetes/pki/kube-apiserver.key \
  --service-account-signing-key-file=/etc/kubernetes/pki/service-account.key \
  --service-account-issuer=https://kubernetes.default.svc.cluster.local \
  --v=2
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

my 3 master control nodes are running fine. When I try to register a node using the following configurations

[Unit]
Description=Kubernetes Kubelet
Documentation=https://github.com/kubernetes/kubernetes
After=docker.service
Requires=docker.service

[Service]
ExecStart=/usr/local/bin/kubelet \
  --config=/var/lib/kubelet/kubelet-config.yaml \
  --kubeconfig=/var/lib/kubelet/kubeconfig \
  --register-node=true \
  --v=2
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

kubelet-config.yaml

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: "0.0.0.0"
port: 10250
serializeImagePulls: false
evictionHard:
    memory.available:  "200Mi"
authentication:
  anonymous:
    enabled: false
  webhook:
    enabled: true
  x509:
    clientCAFile: "/etc/kubernetes/pki/ca/ca.crt"
authorization:
  mode: Webhook
clusterDomain: "cluster.local"
clusterDNS:
  - "10.96.0.10"
resolvConf: "/run/systemd/resolve/resolv.conf"
runtimeRequestTimeout: "15m"

when my nodes are registered, instead of auto-creating a cert and register the in the cluster using the configured CA it is creating its own CA certificate, even though the node is part of the cluster all communications (deploy, get logs etc..) fails because the node ca is not known in the cluster... can anyone shade some light?

35

0 + 0

ssl

kubernetes

Kubernetes cluster - node creating its own ca

Post an answer