How to add extra nodes to the certificate-authority-data from a self signed k8s cluster?

痞子三分冷 提交于 2021-01-07 00:11:00

问题


I am trying to create an HA cluster with HAProxy and below 3 master nodes.

On the proxy I am following the official documentation High Availability Considerations/haproxy configuration. I am passing the ssl verification to the Server Api option ssl-hello-chk.

Having said that I can understand that on my ~/.kube/config file I am using the wrong certificate-authority-data that I picked up from the prime master node e.g.:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <something-something>
    server: https://ip:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate-data: <something-something>
    client-key-data: <something-something>
    token: <something-something>

I found a relevant ticket on GitHub Unable to connect to the server: x509: certificate signed by unknown authority/onesolpark which makes sense that I should extract the certificate-authority-data of the proxy.

On this case I assume that I should extract the certificate-authority-data from one of the certs in /etc/kubernetes/pki/ most likely apiserver.*?

Any idea on this?

Thanks in advance for your time and effort.


回答1:


Okay I managed to figured it out.

When a k8s admin decides to create a HA ckuster he should have minimum one LB but ideally he should have two LB that both are able to LB towards all Master nodes (3,5 etc).

So when the user wants to send a request to Server API towards one of the Master nodes, the request will go through ideally through a Virtual IP and forward to one the LB. As a second step the LB will forward the request to one of the Master nodes.

The problem that I wanted to solve is that the Server API had no record of the IP of the LB(s).

In result the user will get the error Unable to connect to the server: x509: certificate signed by unknown authority.

The solution can be found on this relevant question How can I add an additional IP / hostname to my Kubernetes certificate?.

Straight answer is simply add the LB(s) in the kubeadm config file before launch of Master Prime node e.g.:

apiServer:
  certSANs:
  - "ip-of-LB1"
  - "domain-of-LB1"
  - "ip-of-LB2"
  - "domain-of-LB2" # etc etc
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s

But as it is also mentioned the analytical documentation can be found here Adding a Name to the Kubernetes API Server Certificate.

Also if the user decides to create its own certificates and not use the default self sign certificates (populated from k8s by default) he can add the nodes manually as documented from the official site Certificates.

Then if you want to copy the ca.crt is under the default dir /etc/kubernetes/pki/ca.crt (unless defined differently), or the user can choose to simply copy the ~/.kube/config file for the kubectl communication.

Hope this helps someone else to spend less time in the future.



来源:https://stackoverflow.com/questions/65186710/how-to-add-extra-nodes-to-the-certificate-authority-data-from-a-self-signed-k8s

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!