-
Notifications
You must be signed in to change notification settings - Fork 758
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot connect to microk8s from another machine #421
Comments
In v1.14 we restricted the insecure access to MicroK8s from port 8080 to local users only. You have two options:
|
Great, thank you @ktsakalozos . However now I've encountered another problem. I was able to get things working on another machine on my LAN. (I had to run I've taken the output of
Any ideas? |
Can you edit |
I think I may have fat-fingered something when I copied my
And here I'm using P.S. I'm not sure that adding |
@soapergem, i think there is a way to tell kubectl to ignore certs by adding |
@soapergem please give the suggestion of @balchua a try. Your request of being able to add external IPs to the certificate seems reasonable but we do not support this yet. The I am marking this issue as a "feature request" and "help needed" in case anyone wants to work on this. The fix should be easy but I cannot give you an ETA. |
Yes, adding Although, one thing important to note: while that flag works for Update: looks like I can add the |
@ktsakalozos i will give this issue a shot. |
* allow modifiable csr conf template - #421
Hey @ktsakalozos earlier you said:
How does one track when a new stable release gets cut? Since there's nothing listed on the releases page, how can I tell once a new release has been promoted to stable? Are there release notes anywhere? |
At the moment, @soapergem, the best way to check for new releases is with:
The edge channel gets immediately updated with the code we have on this repo. Upon an upstream patch release (eg from 1.12.7 to 1.12.8) the edge channel is pushed to beta and candidate. About a week after a candidate release the new version is pushed to stable. In the future we would like to automate the release notes authoring and make use of the github release page. |
I see that there's been some movement on this, allowing updates to the |
@soapergem You are correct that |
Great, that worked perfectly. I'm going to close this issue because what I was hoping for has been accomplished. |
After reading this thread it looks like there is a template and hook available to allow tuning of the certs but I don't see anything on the docs site/in the docs as to how one might leverage. Am I missing something or does the above need docu'ed? |
@nrvale0, for sure this needs documenting. We mark issues like as Q&A and our intention is to move them to https://discuss.kubernetes.io/ as wiki topics. Your thoughts on this @balchua and everyone? @evilnick we do not want to miss this one. |
I hardly go to discuss.kubernetes.io. 😁. My preference as a microk8s user is to have faq on common issues like today. |
Good point, we will have to mirror any posts from discuss.kubernetes.io on microk8s.io. |
I don't think you should duplicate effort so unless the intention is to automatically pull in relevant content (by tag?), it might be better to have a cookbook/recipe section hosted at the microk8s site and if the content is identical to Kubernetes running on other platforms, then a simple link would be OK, otherwise if it needs modifying for microk8s, it could be either copied and modified or else something like, "follow the steps found in replacing |
As a data point for someone who is not new to k8s but is new to microk8s, this was my process:
|
@soapergem After you edit this file, how do you trigger microk8s to generate the new certs? I tried restarting and then doing |
Hello @soapergem Thank you for your help. Unfortunately I am still unable to get this working. For now I am using a workaround of SSH Tunneling. I provided the steps to reproduce the problem below. Any help is greatly appreciated!
|
@kawsark check the generated crt conf. When I did this, the MOREIPS tag expanded to overwrite IP.3 with another IP. After changing the template to IP.9 (out of range of those added by MOREIPS), it worked. |
@shoover Thank you so much for that suggestion, that was indeed the issue! The |
@kawsark Thanks a lot, you saved my day. For anybody interested in this, I've used the above hint to create an Ansible playbook (https://github.com/pfisterer/edsc-microk8s-playbook) that installs microk8s in OpenStack and modifies the CSR accordingly. |
The feature seems to be broken. I have modified the csr.conf.template adding an IP.4, IP.5 and IP.6. What am I doing wrong? |
Hi @mjordan79, can you check whether running the command below solves your issue:
This is going to ensure that certificates are refreshed and get the latest version of the csr.conf.template. We are aware of a bug with the |
@neoaggelos Maybe I'm still very new to snap, but the command you've posted returns:
|
Hi @mjordan79. Ah, yes, my bad,
Apologies! Editing my previous comment as well to prevent confusion. |
@neoaggelos |
Hello |
This solved it for me on 1.30: Add dns or ip: sudo nano /var/snap/microk8s/current/certs/csr.conf.template Refresh cert: sudo microk8s refresh-certs --cert server.crt |
I just ran a fresh install of microk8s with this command:
I can access everything while I'm SSH'ed into the box this is running on, with commands much like this:
However when I set my
~/.kube/config
file - on another machine on the same network - to this:And then try to run this command:
I get this error message:
In fact, when I run
curl localhost:8080
while on the box, I see valid K8S output, but if I try runningcurl 192.168.1.123:8080
from outside the box, even that returns:I've tried a couple of things to get this working, first of which was allowing access to 8080 on the firewall with this command:
Unfortunately that doesn't solve the problem. When I run
netstat -an | grep "LISTEN "
I can see an entry for port 8080 as follows:But because it says
127.0.0.1
instead of0.0.0.0
, this would explain why it's not working off the box. Is there somemicrok8s.*
command I don't know about, to open up access?The text was updated successfully, but these errors were encountered: