Issue with k8s.io/docs/admin/authentication/ #5362
Comments
|
@ahmetb 👋 |
|
I've got no clue. /unassign |
|
yes. There seem to be two problems. OpenSSL by default generates v1 certificates, which seems not supporting SAN well. Even when switching to v3 certificate, you will have to include the service cluster IP of the API server into the certificate. |
|
because it doesn't contain any IP SANs thats the issue if one follow the documentation because openssl req -new -key server.key -subj "/CN=${MASTER_IP}" -out server.csr does not include the required subjectAltName so either delete the openssl part from the documentation or add a sentence the api server certificate MUST have a subjectAltName and include the FQDN's and IP's |
|
@cyberh0me 👋
Thanks for the update. I'll flag this issue as Actionable for doc updates. |
|
/assign |
This is a...
Problem:
generating certificates with openssl is missing the required IP SANs
dashboard is not happy without...
Error while initializing connection to Kubernetes apiserver. This most likely means that the cluster is misconfigured (e.g., it has invalid apiserver certificates or service accounts configuration) or the --apiserver-host param points to a server that does not exist. Reason: Get https://10.254.0.1:443/version: x509: cannot validate certificate for 10.254.0.1 because it doesn't contain any IP SANs
(/etc/kubernetes/apiserver:KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16")
Proposed Solution:
still investigating but subjectAltName openssl option seems the solution
Page to Update:
http://kubernetes.io/...
The text was updated successfully, but these errors were encountered: