New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kube-apiserver and TLS etc: kubectl reports unhealthy cluster #29330
Comments
I have the same issue.
My etcd part of apiserver configuration is the same is in the post above:
What to do? |
It seems like this is the same problem: #27343 (comment) |
@elcct Hello did you ever find a solution to this? |
@esayemm sadly not. Also tried Kubernetes 1.4.5 - doesn't work :( |
Still same issue in 1.5.1 |
Yes I have the same issue too with 1.5.1 and checked that curl with correct --cacert --cert --key option is able to get from etcd url/heath: {"health": "true"} |
seeing the same issue in 1.5.2 |
It seems like the fix is in the making, there is a pull request: |
Yes I have the same issue too . etcdctl version: 3.1.3 config apiserver as follow: --etcd-cafile='/var/run/kubernetes/ca.pem' --etcd-certfile='/var/run/kubernetes/client.pem' --etcd-keyfile='/var/run/kubernetes/client-key.pem' --client-ca-file='/var/run/kubernetes/ca.pem' create deployment and other is right, etcd is ok. $ kubectl get cs |
+1 Kubernetes : 1.5.3
|
Does Kubectl have a option to provide the etcd key when trying to query the component status?
|
@xgerman There are no sig labels on this issue. Please add a sig label by: |
@kubernetes/sig-ui |
|
Fixed in #39716. Will be in Kubernetes 1.7. |
- Start distinguishing `master_host` into FreeIPA and k8s API servers - Why: - Dogtag CA and API server are memory-heavy; put on different machines - Eventual API server redundancy - Redo groups and hosts.yaml file - Replace `master_host` etc. with `freeipa_master_host` - Parallel IPA requests breaking - Multiple, parallel requests to IPA server result in "Unauthorized" errors - No clean way to serialize; separate IPA operations into plays and use `serial: 1` - IPA cert operations: put into a proper role - Other operations: handle individually - Update to k8s version 1.7.0 - Earlier versions have trouble with TLS to etcd - kubernetes/kubernetes#29330 - Update dns and dashboard addons and manifests - Generalize use of `etcd_cluster_token` -> `cluster_id` - README notes - Download kubeadm
- Start distinguishing `master_host` into FreeIPA and k8s API servers - Why: - Dogtag CA and API server are memory-heavy; put on different machines - Eventual API server redundancy - Redo groups and hosts.yaml file - Replace `master_host` etc. with `freeipa_master_host` - Parallel IPA requests breaking - Multiple, parallel requests to IPA server result in "Unauthorized" errors - No clean way to serialize; separate IPA operations into plays and use `serial: 1` - IPA cert operations: put into a proper role - Other operations: handle individually - Update to k8s version 1.7.0 - Earlier versions have trouble with TLS to etcd - kubernetes/kubernetes#29330 - Update dns and dashboard addons and manifests - Generalize use of `etcd_cluster_token` -> `cluster_id` - README notes - Download kubeadm
* Updated to work with the bumped stdlib * Updated to use the new "proper" certs from the latest simp-beaker-helpers * Tests will fail on checking 'componentstatus' using 'kubectl' due to a known bug in Kubernetes < 1.7 per kubernetes/kubernetes#29330
* Adds parameters and code to manage ports related to kubernetes with simp/iptables * Tests will fail on checking 'componentstatus' using 'kubectl' due to a known bug in Kubernetes < 1.7 per kubernetes/kubernetes#29330 SIMP-4158 #close SIMP-4187 #close
problem still occurs for kubenetes1.6.0 with etcd 3.3.8 |
I am running v1.3.0-beta.1 and have set up etc, k8 with TLS. Here is the relevant part for the kube-apiserver:
--etcd_servers=https://192.168.200.2:2379
--etcd-cafile=/srv/kubernetes/ca.crt
--etcd-certfile=/srv/kubernetes/kubecfg.crt
--etcd-keyfile=/srv/kubernetes/kubecfg.key \
I tried it running without those parameters and kube-apiserver didn't start but failed with (from the logs):
etcd cluster is unavailable or misconfigured
So it can do something with those certs.
Now, when I run
vagrant@k8-master:~$ kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Unhealthy Get https://192.168.200.2:2379/health: remote error: bad certificate
But when I run etcdctl using the SAM certificates:
vagrant@k8-master:~$ sudo etcdctl --debug --endpoints https://192.168.200.2:2379 --ca-file /srv/kubernetes/ca.crt --key-file /srv/kubernetes/kubecfg.key --cert-file /srv/kubernetes/kubecfg.crt cluster-health
Cluster-Endpoints: https://192.168.200.2:2379
cURL Command: curl -X GET https://192.168.200.2:2379/v2/members
member ce2a822cea30bfca is healthy: got healthy result from https://192.168.200.2:2379
cluster is healthy
Furthermore:
sudo etcdctl --debug --endpoints https://192.168.200.2:2379 --ca-file /srv/kubernetes/ca.crt --key-file /srv/kubernetes/kubecfg.key --cert-file /srv/kubernetes/kubecfg.crt ls registry
start to sync cluster using endpoints(https://192.168.200.2:2379)
cURL Command: curl -X GET https://192.168.200.2:2379/v2/members
got endpoints(https://192.168.200.2:2379) after sync
Cluster-Endpoints: https://192.168.200.2:2379
cURL Command: curl -X GET https://192.168.200.2:2379/v2/keys/registry?quorum=false&recursive=false&sorted=false
/registry/ranges
/registry/namespaces
/registry/events
/registry/services
/registry/serviceaccounts
/registry/secrets
/registry/deployments
/registry/replicasets
/registry/pods
I suspect that some code path in kube-apiserver isn't aware of the certificates?
The text was updated successfully, but these errors were encountered: