Reputation: 357
kubectl exec fails "cannot validate certificate because it doesn't contain any IP SANs"
I'm trying to use kubectl exec to enter one of my containers, but I'm getting stuck on this error.
$ kubectl exec -it ubuntu -- bash
error: Unable to upgrade connection: {
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "x509: cannot validate certificate for <worker_node_ip> because it doesn't contain any IP SANs",
"code": 500
}
I have configured kubectl with my CA certificate and admin keys, etc according to this guide https://coreos.com/kubernetes/docs/1.0.6/configure-kubectl.html
Update
I also found the same error in the API server's logs
E1125 17:33:16.308389 1 errors.go:62] apiserver received an error that is not an unversioned.Status: x509: cannot validate certificate for <worker_node_ip> because it doesn't contain any IP SANs
Does this mean I have configured the certs incorrectly on my worker/master nodes or on kubectl on my local machine?
Upvotes: 10
Views: 20752
Answers (3)
Reputation: 16706
If you're using Kubernetes with a Google Container Cluster, this may fix the issue as it did for me:
gcloud container clusters get-credentials <cluster-name> \
--project <project-name> --zone <zone>
Upvotes: 3
Reputation: 1110
If you used this command to create your certificate:
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem
Then your issue can be resolved by doing the following as the 'client' cert uses an -extfile extfile.cnf:
echo subjectAltName = IP:worker_node_ip > extfile.cnf
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial \
-out server-cert.pem -extfile extfile.cnf
You can specify any number of IP addresses, such as IP:127.0.0.1,IP:127.0.1.1 (non localhost as well).
Upvotes: 4
Reputation: 18161
That message is coming from the master trying to connect to the node (the flow of traffic is kubectl -> master API -> kubelet -> container). When starting the master, are you setting --kubelet_certificate_authority? If so, the master expects to be able to validate the kubelet's serving cert, which means it needs to be valid for the hostnames/IP addresses the master uses to connect to it.
Upvotes: 1
Related Questions
- kubectl unable to connect to server: x509: certificate signed by unknown authority
- Kube-apiserver complains about remote error bad certificate
- kubectl get certificates : No resources found using cert-manager
- kubectl - error x509 certificate signed by unknown authority
- Kubernetes tls certificate issier not issuing
- Kubernetes doesnt create certificates
- hostname invalid when executing "kubeadm alpha certs xxx "
- Kubelet - x509: certificate is valid for 10.233.0.1 not for <IP>
- Cannot validate certificate for ip because it doesn't contain any IP SANs