Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(Tunneling expose strategy) Api Server is not reachable via endpointslices from user cluster #11930

Closed
shankar-vng opened this issue Feb 20, 2023 · 1 comment · Fixed by #11932
Closed

(Tunneling expose strategy) Api Server is not reachable via endpointslices from user cluster #11930

shankar-vng opened this issue Feb 20, 2023 · 1 comment · Fixed by #11932
Assignees
@rastislavs
Labels
kind/bug Categorizes issue or PR as related to a bug. sig/networking Denotes a PR or issue as being assigned to SIG Networking.

Comments

@shankar-vng
Copy link

What happened?

The default API server endpoint slices i.e kubernetes in default namespace has an IP 192.168.30.10 which does not seem reachable/ routable in cerebro from user cluster. This causes the service/tools that uses endpoint-slices to fail when it fails to scrape the API server endpoint..

cannot read data: cannot scrape "https://192.168.30.10:6443/metrics": Get "https://192.168.30.10:6443/metrics": x509: certificate is valid for 10.240.16.1, 127.0.0.1, not 192.168.30.10

Currently the SAN has following allowed names which does not include the tunnelling Agent end point slices IP

Screenshot 2023-02-20 at 4 32 08 PM

Discussion on slack thread

Expected behavior

The endpoint slices IP should be reachable from user cluster. The cert issued should also include the endpoint slice IP in SAN to avoid any failure during certificate SAN verification

How to reproduce the issue?

Try to initiate any service call to the API server end point using the end point slices IP

How is your environment configured?

  • KKP version: 2.21 Tunneling mode
  • Shared or separate master/seed clusters?: Shared

Provide your KKP manifest here (if applicable)

API server endpoint slices object i.e kubernetes in default namespace

addressType: IPv4
apiVersion: discovery.k8s.io/v1
endpoints:
- addresses:
  - 192.168.30.10
  conditions:
    ready: true
kind: EndpointSlice
metadata:
  creationTimestamp: "2023-02-12T18:03:55Z"
  generation: 1
  labels:
    kubernetes.io/service-name: kubernetes
  name: kubernetes
  namespace: default
  resourceVersion: "267"
  uid: a62b76c9-3439-4c52-aad8-ca00c908f298
ports:
- name: https
  port: 6443
  protocol: TCP

What cloud provider are you running on?

AWS

What operating system are you running in your user cluster?

Flatcar Linux
@shankar-vng shankar-vng added the kind/bug Categorizes issue or PR as related to a bug. label Feb 20, 2023
@rastislavs rastislavs self-assigned this Feb 20, 2023
@rastislavs
Copy link
Contributor

Thanks for reporting this!

@rastislavs rastislavs changed the title Api Server is not reachable via endpointslices from user cluster (Tunneling expose strategy) Api Server is not reachable via endpointslices from user cluster Feb 20, 2023
@rastislavs rastislavs added the sig/networking Denotes a PR or issue as being assigned to SIG Networking. label Feb 20, 2023
@rastislavs rastislavs mentioned this issue Feb 20, 2023
Merged
This was referenced Feb 20, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rastislavs rastislavs

Labels
kind/bug Categorizes issue or PR as related to a bug. sig/networking Denotes a PR or issue as being assigned to SIG Networking.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Include tunneling agent IP in apiserver's TLS cert SAN rastislavs/kubermatic
2 participants
@rastislavs @shankar-vng