containerd did not respect hosts trusted certs #7983
Unanswered
TimotheusB
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Original title: "Certificate verify failes to domains with "Secure Renegotiation" only from within pods but works on host"
UPDATE: After installing (corporate-)Root-Certificates into a pod (same than on the host), https to github.com is now possible.
Looks like containerd did NOT respect the hosts cert store!
2nd UPDATE: update to 1.6.15 did not solve the issue
From within all hosts we can access every https sites from a commadline via wget or curl for example. From within cluster pods we can access some domains, others not. After some testing, it shows up that we cannot get access to https sites which have "Secure Renegotiation" enabled (our Cluster is behind a corporate firewall). From the host it is possible but from within the cluster not.
Afaik containerd should read all certificates installed on the host operating system. I am not sure if this could be the problem that containerd does not respect all host certificates (including self signed ones) or how to check if this problem is related to containerd or firewall (An older cluster with docker as Container Runtime instead of containerd does not have this problem in the same network setup)
How to reproduce this behaviour:
kubectl run curl-test --image=rnix/openssl-gost:stretch -i --tty --rm
Within this pod, try to debug ssl traffic with
openssl s_client -connect domainname:port
Non working example: github.com:443
some output from openssl:
...
Secure Renegotiation IS NOT supported
Verify return code: 19 (self signed certificate in certificate chain)
Working example: google.com:443
...
Verify return code: 20 (unable to get local issuer certificate)
Secure Renegotiation IS supported
Versionlist:
OS: SLES 15 SP4
containerd 1.6.9
k8s 1.25.3
Beta Was this translation helpful? Give feedback.
All reactions