-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API server fails to discover Kubernetes API on Azure #1295
Comments
I think it might be the CN field mismatch the domain of URL requested by Kube-apiserver. |
What is azure expecting?
But maybe azure is expecting |
Ah I see now, indeed, this is the k8s api trying to call the cdi apiserver and failing due to TLS handshake failure. It became clear when I did:
Deploying the operator and the API in |
Take a look a the
It tells you what CN kube-apiserver was given and what was expected |
Indeed, just checked with aks-engine, the error is:
whereas 10.0.198.152 is the service ClusterIP
It still baffles me why this should be the case? |
Yeah, I am not sure why it is using the ip instead of the service name. That makes certificate generation much more difficult. Does the KubeVirt apiserver have a similar issue? |
It seems not, kubevirt api server reports no error:
Interestingly,
thanks for the support by the way! I'm running kube-virt just fine in AKS/aks-engine, using pre-populated PVCs and DVs, but I'd still like to use the uploadproxy for other use cases. |
May I suggest trying CDI version 1.19.0? In 1.20.0, we added the v1beta1 API endpoints. I wonder if that is related. |
Still same:
Happy to give you access to the cluster if you wish to troubleshoot, ping me on slack, alessandro on k8s slack |
see kubevirt#1295 Signed-off-by: Michael Henriksen <mhenriks@redhat.com>
Issue traced down to lack of value for Thanks for the help @ams0!! |
see #1295 Signed-off-by: Michael Henriksen <mhenriks@redhat.com>
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
On both AKS and aks-engine, API server fails to connect to Kubernetes APIs with
on AKS, communication to the control plane is mediated by the
aks-link
tunnel pod:the CDI API server apparently autodiscovers the IP of the
aks-link
pod to be that of the k8s API server but the TLS handshake fails for 10.240.0.68 (I suppose the certificate returned is valid for the full DNS name of the API server, in my case,kubevirt-k8s-12c7e9-0604dc01.hcp.westeurope.azmk8s.io
).On aks-engine instead, the controller and api pods are running on the controller nodes (which are in the same vnet as the worker nodes) with
hostNetwork: true
and thus have the same IP as the master node:I edited the
cdi-apiserver
deployment addingbut the operator reverts back my changes (I think due to this line.
At this moment, CDI is unusable on Azure in both managed and unmanaged clusters.
What you expected to happen:
CDI api server to be able to find out the kubernetes api endpoint correctly.
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
kubectl get deployments cdi-deployment -o yaml
): 1.20kubectl version
): 1.18.4The text was updated successfully, but these errors were encountered: