TLS handshake errors caused by Controller ELB running tcp healthchecks to 443 #295
Comments
|
check from the client side, there should be more informative error |
|
Client side works and I dont see any errors |
|
there must be, these IPs belong to pods right? and something there failed to established connection |
|
huh, ok I think I can pin it to a service and ELB healthcheck. ty! |
|
This happens because we are doing TCP healthcheck on SSL listener |
mumoshu
changed the title
mumoshu
changed the title
|
The apiserver requires a client certificate the ELB doesn't have, so the ELB can only do a TCP connect healthcheck, and that connect/disconnect triggers those errors in the logs. I get them too. It would be nice if there were someway to suppress them, or not log on a zero-data connect/disconnect. |
|
Thanks for the info @whereisaaron! |
|
Enabling any unauthenticated/anonymous access to the API makes be a bit uneasy @mumoshu ! It is possible for failed client-cert requests to fall back to anonymous, but I don't see that you can restrict those anonymous requests to just the ELB, so everyone with access to the API (from either side of the ELB) could make anonymous requests. These would map to the So I personally think these log entries are inappropriately conflating an empty TCP connect with real TLS negotiation errors. If the client doesn't send a single byte, I am not sure you could claim they are trying to negotiate anything. It is kind of like someone visits your website login page, but doesn't try to login at all, and then claiming that is a failed login. Seems like a specious stance. Fixing that would require a patch to the authproxy though. |
|
Thanks @whereisaaron! |
|
Ah, doing so would enable attackers to access an insecure port via cracked pods on controller nodes? |
|
I think we can close this. This is just how TCP healthchecks work and there's no easy way to 'fix' it without sacrificing stability... cc @Saso #bugcleaning |
|
do we have any other ports opened by apiserver which can be checked by ELB? |
|
- containerPort: 443
hostPort: 443
name: https
- containerPort: 8080
hostPort: 8080
name: local8080 is used for the liveness probe too ( |
|
AFAIK 8080 is the insecure port (bound to |
|
This seems to have been fixed by SSL healthchecks. See #604 |
|
Anyone seeing this again with a more recent version of kube-aws like 0.10.0? |
|
Hi @c-knowles I think this fix was specific to the 'classic' ELB. Have you (like me) switched to the ELBv2 option that kube-aws offers now? That currently configures with a TCP healthcheck, which would have the same problem. ELBv2 load balancers do support HTTP(S) health checks, even on TCP load balancers. So a similar fix may be possible for the ELBv2 configuration. |
|
@whereisaaron nope, we haven't swapped unless kube-aws changed the default. I'll investigate further, for now all the info I have it this seems to be re-occurring and not entirely sure why. My current guess is this is healthchecks we have inside the cloud init scripts/systemd unit and the nodes were unhealthy at the time (unrelated health issues). |
|
I'm using kube-aws v0.10.2, a classic ELB for a single API endpoint and I'm seeing the TLS errors: Maybe this is a regression? |
|
When you dominate a market, you don't really care about small details like this. So what if the LB can send only TCP healthchecks? Just change the source code from apps so that it doesn't throw EOF errors when TCP healthchecks come in. EASY! |
We are seeing a lot of "TLS handshake error" on kube-apiserver and authproxy
Anyone have any ideas why this is happening?
The text was updated successfully, but these errors were encountered: