From 2261d7ed0212c287273eac647647e4390c530a6e Mon Sep 17 00:00:00 2001 From: Andrey Smirnov Date: Mon, 26 Apr 2021 21:12:50 +0300 Subject: [PATCH] fix: use both self-signed and Kubernetes CA to verify Kubelet cert Kubelet might be running either self-signed cert (by default) or API server issued cert (signed by the CA). User might switch between the two methods, so instead of guessing based on filesystem contents, accept both Kubernetes CA and self-signed cert (if available). Spotted by @aceat64 Signed-off-by: Andrey Smirnov --- pkg/kubernetes/kubelet/kubelet.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/kubernetes/kubelet/kubelet.go b/pkg/kubernetes/kubelet/kubelet.go index 6bd8d475ad..7b3a082e15 100644 --- a/pkg/kubernetes/kubelet/kubelet.go +++ b/pkg/kubernetes/kubelet/kubelet.go @@ -51,7 +51,7 @@ func NewClient(clientCert, clientKey, caPEM []byte) (*Client, error) { kubeletCert, err := ioutil.ReadFile(filepath.Join(constants.KubeletPKIDir, "kubelet.crt")) if err == nil { - config.CAData = kubeletCert + config.CAData = append(config.CAData, kubeletCert...) } else if err != nil { // ignore if file doesn't exist, assume cert isn't self-signed if !os.IsNotExist(err) {