[release-1.20] kubernetes.default.svc not among SANs in Kubernetes API serving certificate #1113

fapatel1 · 2021-06-08T21:44:42Z

Pull through "kubernetes.default.svc not among SANs in Kubernetes API serving certificate" from k3s-io/k3s#3392 to release-1.21 branch

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

ShylajaDevadiga · 2021-06-22T23:03:46Z

Validated fix using v1.20.8-rc1+rke2r1
On new install

$ echo QUIT | openssl s_client -connect localhost:6443 2>/dev/null | openssl x509 -noout -text |grep DNS
                DNS:localhost, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.43.0.1, IP Address:127.0.0.1, IP Address:172.31.5.149, IP Address:10.43.0.1

root@nginx-deployment-66b6c48dd5-jk9bv:/# curl --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt https://kubernetes.default.svc
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}

On upgrade from v1.20.7+rke2r2 to v1.20.8-rc1+rke2r1
Before upgrade

ubuntu@ip-172-31-5-149:~$ echo QUIT | openssl s_client -connect localhost:6443 2>/dev/null | openssl x509 -noout -text |grep DNS
                DNS:localhost, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc.cluster.local, IP Address:10.43.0.1, IP Address:127.0.0.1, IP Address:172.31.5.149, IP Address:10.43.0.1

After upgrade

ubuntu@ip-172-31-5-149:~$ echo QUIT | openssl s_client -connect localhost:6443 2>/dev/null | openssl x509 -noout -text |grep DNS
                DNS:localhost, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.43.0.1, IP Address:127.0.0.1, IP Address:172.31.5.149, IP Address:10.43.0.1

fapatel1 added the kind/bug Something isn't working label Jun 8, 2021

fapatel1 added this to the v1.20.8+rke2r1 milestone Jun 8, 2021

fapatel1 assigned brandond Jun 8, 2021

fapatel1 changed the title ~~[release-1.21] kubernetes.default.svc not among SANs in Kubernetes API serving certificate~~ [release-1.20] kubernetes.default.svc not among SANs in Kubernetes API serving certificate Jun 8, 2021

brandond added a commit to brandond/rke2 that referenced this issue Jun 9, 2021

Update k3s and resync module versions for rancher#1113 and rancher#1117

d124eda

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

This was referenced Jun 9, 2021

Pull through fixes for multiple issues in RKE2 release-1.20 #1120

Closed

Pull through fixes for multiple issues in RKE2 release-1.20 #1121

Merged

brandond added this to To Triage in Development [DEPRECATED] via automation Jun 9, 2021

brandond moved this from To Triage to Peer Review in Development [DEPRECATED] Jun 9, 2021

brandond added a commit that referenced this issue Jun 11, 2021

Update k3s and resync module versions for #1113 and #1117

38ed011

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

brandond moved this from Peer Review to To Test in Development [DEPRECATED] Jun 11, 2021

davidnuzik assigned ShylajaDevadiga Jun 15, 2021

ShylajaDevadiga closed this as completed Jun 22, 2021

Development [DEPRECATED] automation moved this from To Test to Done Issue / Merged PR Jun 22, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[release-1.20] kubernetes.default.svc not among SANs in Kubernetes API serving certificate #1113

[release-1.20] kubernetes.default.svc not among SANs in Kubernetes API serving certificate #1113

fapatel1 commented Jun 8, 2021 •

edited by brandond

ShylajaDevadiga commented Jun 22, 2021

[release-1.20] kubernetes.default.svc not among SANs in Kubernetes API serving certificate #1113

[release-1.20] kubernetes.default.svc not among SANs in Kubernetes API serving certificate #1113

Comments

fapatel1 commented Jun 8, 2021 • edited by brandond

ShylajaDevadiga commented Jun 22, 2021

fapatel1 commented Jun 8, 2021 •

edited by brandond