kube-apiserver and TLS etc: kubectl reports unhealthy cluster #29330
Comments
|
I have the same issue. My etcd part of apiserver configuration is the same is in the post above: What to do? |
|
It seems like this is the same problem: #27343 (comment) |
|
@elcct Hello did you ever find a solution to this? |
|
@esayemm sadly not. Also tried Kubernetes 1.4.5 - doesn't work :( |
|
Still same issue in 1.5.1 |
|
Yes I have the same issue too with 1.5.1 and checked that curl with correct --cacert --cert --key option is able to get from etcd url/heath: {"health": "true"} |
|
seeing the same issue in 1.5.2 |
|
It seems like the fix is in the making, there is a pull request: |
|
Yes I have the same issue too . etcdctl version: 3.1.3 config apiserver as follow: --etcd-cafile='/var/run/kubernetes/ca.pem' --etcd-certfile='/var/run/kubernetes/client.pem' --etcd-keyfile='/var/run/kubernetes/client-key.pem' --client-ca-file='/var/run/kubernetes/ca.pem' create deployment and other is right, etcd is ok. $ kubectl get cs |
|
+1 Kubernetes : 1.5.3 |
|
Does Kubectl have a option to provide the etcd key when trying to query the component status? |
|
@xgerman There are no sig labels on this issue. Please add a sig label by: |
k8s-github-robot
added
the
needs-sig
|
@kubernetes/sig-ui |
|
|
Fixed in #39716. Will be in Kubernetes 1.7. |
- Start distinguishing `master_host` into FreeIPA and k8s API servers
- Why:
- Dogtag CA and API server are memory-heavy; put on different machines
- Eventual API server redundancy
- Redo groups and hosts.yaml file
- Replace `master_host` etc. with `freeipa_master_host`
- Parallel IPA requests breaking
- Multiple, parallel requests to IPA server result in "Unauthorized" errors
- No clean way to serialize; separate IPA operations into plays and
use `serial: 1`
- IPA cert operations: put into a proper role
- Other operations: handle individually
- Update to k8s version 1.7.0
- Earlier versions have trouble with TLS to etcd
- kubernetes/kubernetes#29330
- Update dns and dashboard addons and manifests
- Generalize use of `etcd_cluster_token` -> `cluster_id`
- README notes
- Download kubeadm
- Start distinguishing `master_host` into FreeIPA and k8s API servers
- Why:
- Dogtag CA and API server are memory-heavy; put on different machines
- Eventual API server redundancy
- Redo groups and hosts.yaml file
- Replace `master_host` etc. with `freeipa_master_host`
- Parallel IPA requests breaking
- Multiple, parallel requests to IPA server result in "Unauthorized" errors
- No clean way to serialize; separate IPA operations into plays and
use `serial: 1`
- IPA cert operations: put into a proper role
- Other operations: handle individually
- Update to k8s version 1.7.0
- Earlier versions have trouble with TLS to etcd
- kubernetes/kubernetes#29330
- Update dns and dashboard addons and manifests
- Generalize use of `etcd_cluster_token` -> `cluster_id`
- README notes
- Download kubeadm
* Updated to work with the bumped stdlib * Updated to use the new "proper" certs from the latest simp-beaker-helpers * Tests will fail on checking 'componentstatus' using 'kubectl' due to a known bug in Kubernetes < 1.7 per kubernetes/kubernetes#29330
* Adds parameters and code to manage ports related to kubernetes with simp/iptables * Tests will fail on checking 'componentstatus' using 'kubectl' due to a known bug in Kubernetes < 1.7 per kubernetes/kubernetes#29330 SIMP-4158 #close SIMP-4187 #close
|
problem still occurs for kubenetes1.6.0 with etcd 3.3.8 |
I am running v1.3.0-beta.1 and have set up etc, k8 with TLS. Here is the relevant part for the kube-apiserver:
--etcd_servers=https://192.168.200.2:2379
--etcd-cafile=/srv/kubernetes/ca.crt
--etcd-certfile=/srv/kubernetes/kubecfg.crt
--etcd-keyfile=/srv/kubernetes/kubecfg.key \
I tried it running without those parameters and kube-apiserver didn't start but failed with (from the logs):
etcd cluster is unavailable or misconfigured
So it can do something with those certs.
Now, when I run
vagrant@k8-master:~$ kubectl get cs
NAME STATUS MESSAGE ERROR
scheduler Healthy ok
controller-manager Healthy ok
etcd-0 Unhealthy Get https://192.168.200.2:2379/health: remote error: bad certificate
But when I run etcdctl using the SAM certificates:
vagrant@k8-master:~$ sudo etcdctl --debug --endpoints https://192.168.200.2:2379 --ca-file /srv/kubernetes/ca.crt --key-file /srv/kubernetes/kubecfg.key --cert-file /srv/kubernetes/kubecfg.crt cluster-health
Cluster-Endpoints: https://192.168.200.2:2379
cURL Command: curl -X GET https://192.168.200.2:2379/v2/members
member ce2a822cea30bfca is healthy: got healthy result from https://192.168.200.2:2379
cluster is healthy
Furthermore:
sudo etcdctl --debug --endpoints https://192.168.200.2:2379 --ca-file /srv/kubernetes/ca.crt --key-file /srv/kubernetes/kubecfg.key --cert-file /srv/kubernetes/kubecfg.crt ls registry
start to sync cluster using endpoints(https://192.168.200.2:2379)
cURL Command: curl -X GET https://192.168.200.2:2379/v2/members
got endpoints(https://192.168.200.2:2379) after sync
Cluster-Endpoints: https://192.168.200.2:2379
cURL Command: curl -X GET https://192.168.200.2:2379/v2/keys/registry?quorum=false&recursive=false&sorted=false
/registry/ranges
/registry/namespaces
/registry/events
/registry/services
/registry/serviceaccounts
/registry/secrets
/registry/deployments
/registry/replicasets
/registry/pods
I suspect that some code path in kube-apiserver isn't aware of the certificates?
The text was updated successfully, but these errors were encountered: