-
Notifications
You must be signed in to change notification settings - Fork 14.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue with k8s.io/docs/admin/authentication/ #5362
Comments
@ahmetb 👋 |
I've got no clue. /unassign |
yes. There seem to be two problems. OpenSSL by default generates v1 certificates, which seems not supporting SAN well. Even when switching to v3 certificate, you will have to include the service cluster IP of the API server into the certificate. |
because it doesn't contain any IP SANs thats the issue if one follow the documentation because openssl req -new -key server.key -subj "/CN=${MASTER_IP}" -out server.csr does not include the required subjectAltName so either delete the openssl part from the documentation or add a sentence the api server certificate MUST have a subjectAltName and include the FQDN's and IP's |
@cyberh0me 👋
Thanks for the update. I'll flag this issue as Actionable for doc updates. |
/assign |
This is a...
Problem:
generating certificates with openssl is missing the required IP SANs
dashboard is not happy without...
Error while initializing connection to Kubernetes apiserver. This most likely means that the cluster is misconfigured (e.g., it has invalid apiserver certificates or service accounts configuration) or the --apiserver-host param points to a server that does not exist. Reason: Get https://10.254.0.1:443/version: x509: cannot validate certificate for 10.254.0.1 because it doesn't contain any IP SANs
(/etc/kubernetes/apiserver:KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16")
Proposed Solution:
still investigating but subjectAltName openssl option seems the solution
Page to Update:
http://kubernetes.io/...
The text was updated successfully, but these errors were encountered: