Reputation: 13440
How to run Kubernetes without SSL network
I want to start develop for Kuberntes project. I wanted to debug the netwrok between the master and the worker.
Currently they are using x509 certificates for SSL communication and I need to see this communication.
I installed Kubernetes cluster on a linux machine with kubeadm and weave network plug in and I now want to disable the SSL network to be able to see all the traffic between them.
I tried the steps describe in this answer and:
- Removed
--insecure-port=0from/etc/kubernetes/manifests/kube-apiserver.yaml - Added
--insecure-bind-address=0.0.0.0to/etc/kubernetes/manifests/kube-controller-manager.yamland/etc/kubernetes/manifests/kube-scheduler.yaml - Restart kubelet
service kubelet restart
I created new deployment: kubectl run nginx --image nginx on the master and in the worker I run tcpdump -i ens3 -w ./traffic.pcap.
The deployment failed to run.
I checked the kubelet logs: journalctl -u kubelet:
Apr 01 12:16:57 master kubelet[10614]: E0401 12:16:57.238125 10614 pod_workers.go:190] Error syncing pod 26ead5e19e83a1d9426b732dc183b75d ("kube-controller-manager-master_kube-system(26ead5e19e83a1d9426b732dc183b75d)"), skipping: failed to "StartContainer" for "kube-controller-manager" with CrashLoopBackOff: "Back-off 5m0s restarting failed container=kube-controller-manager pod=kube-controller-manager-master_kube-system(26ead5e19e83a1d9426b732dc183b75d)"
Apr 01 12:16:59 master kubelet[10614]: E0401 12:16:59.238970 10614 pod_workers.go:190] Error syncing pod 448824ad8c321fa307186a36765b0ee4 ("kube-scheduler-master_kube-system(448824ad8c321fa307186a36765b0ee4)"), skipping: failed to "StartContainer" for "kube-scheduler" with CrashLoopBackOff: "Back-off 5m0s restarting failed container=kube-scheduler pod=kube-scheduler-master_kube-system(448824ad8c321fa307186a36765b0ee4)"
How it is possible to disable Kubernetes SSL communication and debug it for development?
Upvotes: 0
Views: 2269
Answers (1)
Reputation: 44569
The scheduler and controller manager did not start after you added --insecure-bind-address because this flag is not supported by these two components. So you remove it and the deployment should work.
You can verify this by running below command to check logs and you should see an error unknown flag: --insecure-bind-address
kubectl logs kube-controller-manager-master_kube-system -n kube-system
kubectl logs kube-scheduler-master_kube-system -n kube-system
Edit:
For http communication between API Server and kubelet you can set --kubelet-https to false in API Server.
Upvotes: 4
Related Questions
- How to use Kubernetes SSL certificates
- kubernetes force service to use https
- Kubernetes API Server: Unable to listen for secure
- Kubernetes https communication
- Kubernetes - API Server SSL
- How to enable easily SSL in pod-to-service calls in Kubernetes
- How to use https to call the kubernetes api server
- How to let kubelet communicate with apiserver by using HTTPS? v0.19
- How to access a kubernetes service through https?
- How can I configure kube-proxy to connect via https to apiserver?