New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dashboard complaints on startup: x509: failed to load system roots and no roots provided #1287
Comments
have you checked --apiserver-host parameter in kubernetes-dashboard.yaml file if it is right configured? kubernetes-dashboard.yaml |
It's better to connect to API server through kubernetes service if HTTPS is used, so I'd leave it commented. According to this
It looks like either dashboard is not picking up service account or your cluster is not configured properly. If it's the first issue then try to delete default secrets and then delete dashboard pod. Secrets should be recreated automatically and dashboard should then pick it up on restart and use them. Second issue is more complex. You need correct CA/server certificates provided to api server. If service account certificate is not provided then server certificate will be used. |
Thanks for the replies. The ServiceAccount may actually be wrong, as it seems to only generate a token, nothing x509 based. Do we need to set something on apiserver side to have it add the certs to the ServiceAccount as well? |
Adding the --apiserver-host option did not solve the problem, error stays the same, except that it now adds the DNS name of the apiserver to it (the ip address in my original report was correct as well, btw). It seems to want a certificate and I have no way how I should provide that :/ |
Can you please share the flags you're passing to |
Cluster configurationKeep in mind that this is my dev configuration. I'm also using certificate based authentication to connect to the cluster. You can enable more authentication/authorization plugins if you want. This is just my basic setup. API Server
Kubelet
Controller manager
Proxy
Scheduler
Kubeconfig
Certificates configurationI'm using my simple script to generate needed certs. Correct SAN address/hostname needs to be set in openssl config file. Config & script
By installing my admin certificate in browser I can connect to deployed dashboard. More about how to do this kubernetes/kubernetes#31665. Note: You may have to delete default secrets and dashboard pod in order for it to pick up service accounts. After that it should work. |
Of course: apiserver:
For good measure, here's controller as well:
And scheduler:
Also, our kubeconfig:
|
So the ServiceAccount now includes the ca.crt (not sure what I changed), but I still get the same message:
I'm a bit out of ideas where else to look for a solution :/ |
I've started another instance to check the SSL, when I use the following:
The output ends with Any idea? |
@timstoop What about other addon containers? Do they run correctly? E.g., heapster. |
@bryk Kube-dns runs without a problem. I've been looking into this issue by adding the dashboard to an alpine container (which allows me to debug) and strace-ing the process. I can see it check the standard CA certificates directories, but the only thing it gets out the serviceaccount data is:
It's not even trying to open |
For reference, inside the container I can do this without a problem:
|
How about using |
Alas:
|
But this is kind of interesting:
It seems to be not passing the token at all? |
Heh... So I installed curl inside the container, and now I have a different error:
Which makes sense, as it is still not using the serviceaccount's ca.crt. |
Ah, the kubeconfig flag has been added after 1.4 release. Can you check out latest |
That worked! Thanks! |
I'm still wondering why the default didn't work for you... I'll keep this open for further investigation. |
Ok, I'll keep subscribed to this, so feel free to ask questions if you need answers! Happy to help. |
i my centos host,i mount /etc/pki ,but i get another error the server has asked for the client to provide credentials. how to set client cert & cert-key file to dashboad. i do some try, but not suceess. $ kubectl delete pod kube-dns-v19-xg5or --namespace=kube-system when i use --kubeconfig , i get panic. |
i will try v1.4.2. |
i find the reason at last。i can use --kubeconfig . in my kubeconfig i set cert file in other folder,so i must add mount volumn to dashboard, if you kubeconfig file use client-certificate-data ,which encode by base64 ,you will not need mount. |
@timstoop but i dont want a hardcoded token or a keypair for each service. i want to use the automatically generated token from /var/run/../token + its sibling ca.crt |
@sgeisbacher I switched to the canary release and it worked immediately. |
Closing as stale. For >1.6 clusters it is needed to use service accounts to run Dashboard. |
I can used my own wildcard certificate from godady *.myname.com ? |
Issue details
I'm following the documentation at http://kubernetes.io/docs/user-guide/ui/, but it fails at the first step already. The container fails to start with the log entry:
Nowhere on that page is it explained how to deal with this issue and a Google search doesn't provide enlightment. We have serviceaccounts enabled and the pod has the default one attached. When I take a look at the serviceaccount with describe, I get the following:
I have no idea how to continue from here. Which cert is dashboard looking for? What's the best way of getting that into the container? Also, is the documentation outdated or am I doing something weird, as the (pretty simple) recipe does not seem to work for me.
Environment
We're running the containers on CoreOS running on AWS. Currently running 1.3.6, planning on updating to 1.4.0 somewhere soon.
Steps to reproduce
Follow the guide as described here: http://kubernetes.io/docs/user-guide/ui/
Observed result
And than the pod stays in CrashLoopBackOff status.
Expected result
A working UI!
The text was updated successfully, but these errors were encountered: