-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubelet fails to authenticate to apiserver due to expired certificate #65991
Comments
I'm sad, because I thought this was fixed. /assign |
At a certain point we talked about a mode for the CertificateManager where it always uses it's bootstrap kubeconfig to request a certificate. This is the type of pickle I hoped to avoid in that mode. I'm worried that the current method is too fragile to be used practically with small rotation periods. |
Hello, we are currently setting cert rotation to be happening every 24h. Our users are deallocating their VM overnight to reduce the cloud cost. Anything we could look into as a quick fix? Or is the current recommendation not to use Cert Rotation until it moves out of Beta? thanks! |
@mikedanese / @smarterclayton your input would be appreciated :) |
I am trying to do the same:
Could you guys suggest what is the right aproache ? |
How does one go about rotating the actual apiserver-kubelet-client.crt? The API server wont start on my cluster because it was created as the sametime as the kubelet.crt. |
Anonymous requesting CSRs looks strange? |
I've spent some free cycles on this and it's seems to be working OK for me on a kubeadm built cluster with kubelet version v1.11.2. What does this mean:
I've been using |
Hi Mikko.
Have you tried shutting down your node and see if you bring it back up after the TTL if it will be able to come back to a ready state and refresh it’s cert ?
… On Aug 16, 2018, at 7:46 AM, Mikko Ylinen ***@***.***> wrote:
I've spent some free cycles on this and it's seems to be working OK for me on a kubeadm built cluster with kubelet version v1.11.2.
What does this mean:
Install tools: custom
I've been using --experimental-cluster-signing-duration=10m and bootstrap tokens with different --ttl to kubeadm token
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
I had just |
ok, that's weird. maybe something new in v.1.11.2. I will let @tshaynik verify and reply since he's the one who did most of this work and investigation on our side. Regarding
We install Kubernetes the hard way using a salt based solution. |
OK, I'm not familiar with this. I got almost the same error message you're seeing if I drop RBAC |
@awslovato did you manage to recover your apiserver? if so, can you share how? I have the same situation, the apiserver won't run due to the certificate being expired and the certificate cannot be renewed due to the apiserver being down :( |
Hi Albert, I did! On the Kube Slack I found out about using kubeadm to recycle the certs that were expired with Now my issue is that my users filled the Docker volume. I have to start all over now, and I'm not keen on that. |
Any update on this bug? We are not using kubeadm. Only solution is to manually remove the certs. |
I run in this problem too:
Output from journalctl -u kubelet says:
Is there any solution? My "pods" are still running... but I can't use kubectl and if i restart my server, it won't start again :( (so i reverted to a snapshot) |
maybe kubernetes/kubeadm#581 (comment) can solve your problem. |
@liggitt: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
How is this resolved? I'm still experiencing this exact error on Kubernetes 1.12.7 running on EKS.
Upon checking, the kubelet-server-current.pem points to an empty file. Then kubelet will fail to start. Workaround :
Surprisingly this only happens on 1 specific Node. All the Nodes are deployed using the same configuration. |
@SaltedEggIndomee your error message complains about kubelet serving certificate while your workaround removes the client one. In any case, serving certificate being empty and preventing kubelet startup is a separate issue, this one is about client certificates. Please file a new issue. |
I can see a very similar thing happening in 1.14.x. I joined a 1.14.x node to a cluster, which completes the TLS bootstrapping process successfully, and stores current, signed certs at /var/lib/kubelet/pki/kubelet-client-current.pem. I then delete the created /etc/kuberenetes/kubelet.conf, and join the node to a different 1.14.x cluster moments later. The kubelet is failing to complete the TLS bootstrapping process for the new cluster. But by also deleting /var/lib/kubelet/pki/kubelet-client-current.pem before joining the new cluster, the whole process completes as intended. Perhaps someone with more knowledge on this process can shed some light into the reasoning here. Btw I did not experience this with 1.13.x. |
I am on baremetal kubernetes version 1.15.3 and below steps helped me solve the issue.
|
/kind bug
/sig auth
What happened:
My team is having an issue with TLS bootstrap, running Kubernetes 1.10.5. We set --experimental-cluster-signing-duration to 24h on the kube-controller-manager. Some nodes are being deallocated over night, and when they come up, Kubelet goes into a failed state. It appears that it recognizes that the certificate expires and attempts to bootstrap using the token from bootstrap.kubeconfig (so far so good), but then reuses the expired certificate, and cannot authenticate to the apiserver. Here are relevant logs from kubelet:
After removing the generated cert at
/var/lib/kubelet/pki/kubelet-client-current.pem
, kubelet was able to bootstrap properly, obtain a new cert and join the cluster.Just removing the kubeconfig, or any of the files in
/var/lib/kubelet/pki/
other than kubelet-client-current.pem and restarting kubelet did not work. Removing the entire/var/lib/kubelet/pki/
directory and restarting kubelet works as well.What you expected to happen:
I expect that after kubelet recognizes that its certificate has expired, it should remove its certificate and successfully bootstrap with the token in bootstrap.kubeconfig. It should obtain a new, valid, signed certificate from the control plane and successfully authenticate to the apiserver.
How to reproduce it (as minimally and precisely as possible):
--experimental-cluster-signing-duration
flag on the kube-controller-manager to a small duration.Anything else we need to know?:
Let me know if there are more logs and information that would be useful. Thanks a lot!
Environment:
kubectl version
): 1.10.5uname -a
): 3.10.0-693.11.6.el7.x86_64The text was updated successfully, but these errors were encountered: