Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Private DNS + private topology on AWS: problems regarding the certificate #2032
I created a new cluster on AWS:
As I'm using a private zone on Route 53, my laptop cannot resolve the server name (https://api.cluster.k8s) set on kubecfg.
Looking at Route 53 I noticed that
So I need to use
Do you guys know how to overcome this issue? Is it possible to tell kops to generate the certificate without constraining domains, for instance?
Thanks in advance!
default is suficient , use kops to create a cluster, i did this
kops create cluster --zones us-west-1a --topology private --bastion=true --networking weave --kubernetes-version 1.5.3 --network-cidr 192.168.0.0/16 --associate-public-ip=false --dns-zone=dev.example.com dev.example.com
then wait for 5 minites to create nodes and LB,etc
I wish I could use a private zone instead of a public one. Everything works fine on the snippet you provided, but names could be resolved from anywhere on the internet, even if it makes sense only inside a VPC - several of its entries are maped to private ips (nodes within the cluster). I wish I could use a private DNS without having problem with the certificate. It could be done either by inputting my own certificate or specifying I don't want kops to constrain it to any domain, for instance. I have no idea if its possible to do so.
If you use OpenVPN or similar technology to access to your k8s private cluster, you might want to check the configuration whether you can make the VPN client delegate DNS resolution using VPN server, not public one like 22.214.171.124.
In my case we use Pritunl as a bastion and we can set name server's address by using it, so I set AWS's private name server address (
If you prefer ssh tunnel, sshuttle also supports DNS tunneling via ssh tunnel, althouth I haven't tested myself with k8s.
Hmm, only things I now can come up with to use private DNS are,
What an user of kops can do:
IF kops should resolve this:
Stumbled on the same issue today as I was setting up a cluster. There's a small trick I found here at the very bottom, which basically tells you to create records in your public zone for the ELBs created by kops (bastion and api).
This only works if you have a public and private route53 zone with the same domain. And in that case it works fine. But it probably won't work if you have an existing VPC with an internal domain that doesn't match the public one, which is probably the most likely scenario (I use internal domains that are different from the public ones for all my VPCs...).
Ideally I would like to be able to tell kops to either:
referenced this issue
Oct 24, 2017
Additionally PR #2063 added support for defining additional names for the master cert, this is included in version 1.8.0-beta.1 and could be used to solve this problem after creating the cluster.
I'd expect it to be fairly trivial to fix this completely, considering that when using gossip the elb address is added to the certificate. The same thing just needs to be done for private dns as well.
referenced this issue
Nov 28, 2017
added a commit
Dec 4, 2017
Issues go stale after 90d of inactivity.
If this issue is safe to close now please do so with
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.