-
Notifications
You must be signed in to change notification settings - Fork 38.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api logs not very precise in regards to cert issues on endpoints #122639
Comments
/help |
@leilajal: GuidelinesPlease ensure that the issue body includes answers to the following questions:
For more details on the requirements of such an issue, please see here and ensure that they are met. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I would love to work on this. |
I think I need to update the log message to be more specific. Like |
I'd put details for which endpoint "dns name and/or ip" thats being accessed. specificly the IP is important too. It might be a DNS issue (if dns name has multiple ips f.ex. - it may be only one of them) |
Hi @neolit123 I am unable to find the code that is logging this error message. Can you please help me with that? |
try asking in #sig-api-machinery on k8s slack. |
/assign |
What happened?
our kube-apiserver just started failing to start.. The log from containerd only says:
2023-12-16T07:35:01.426019865+01:00 stderr F }. Err: connection error: desc = "transport: authentication handshake failed: x509: certificate has expired or is not yet valid: current time 2023-12-16T06:35:01Z is after 2023-12-03T03:37:19Z"
we checked apiserver certs etc. -and they were all fine.
We finally checked etcd endpoint - and that had an old cert
/sig api-machinery
a repost - for only log issue - per @neolit123 suggestion kubernetes/kubeadm#2989 (comment)
What did you expect to happen?
a logmessage that told me which endpoint had the bad cert and details about cert.
How can we reproduce it (as minimally and precisely as possible)?
renew api certs and not etcd certs - and then move time forward so etcd certs have run out - and restart kubelet
Anything else we need to know?
No response
Kubernetes version
1.26.4
Cloud provider
hetzner.com - physical servers
OS version
ubuntu 22.04
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, ...) and versions (if applicable)
The text was updated successfully, but these errors were encountered: