apiserver keeping visit https://localhost:6443 after using TLS config
960 views
Skip to first unread message
Assigned to wujun...@gmail.com by me
wujun...@gmail.com
Mar 23, 2017, 3:01:37 AM3/23/17
to Kubernetes user discussion and Q&A
Hi,
I enable TLS on the apiserver, the start command is:
```bash
/usr/bin/kube-apiserver --logtostderr=true --v=0 --etcd-servers=http://centos-master:2379 --insecure-bind-address=0.0.0.0 --secure-port=6443 --insecure-port=8080 --kubelet-port=10250 --allow-privileged=false --service-cluster-ip-range=10.254.0.0/16 --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ResourceQuota --runtime-config=authentication.k8s.io/v1beta1=true --authentication-token-webhook-config-file=/etc/kubernetes/webhook.yaml --tls-ca-file=/etc/kubernetes/ssl/rootCA.pem --tls-cert-file=/etc/kubernetes/ssl/master.crt --tls-private-key-file=/etc/kubernetes/ssl/master.key
```
Then, restart kube-apiserver, the api in https is good from the browser,but the logs in /var/log/messages keeping saying that "x509: certificate is valid for 10.0.8.107, not localhost". But why visit localhost?
Thanks!
Here's the logs:
Mar 23 21:55:05 k8s-master kube-apiserver: I0323 21:55:05.213252 15113 logs.go:41] http: TLS handshake error from [::1]:55687: read tcp [::1]:6443->[::1]:55687: read: connection reset by peer
Mar 23 21:55:05 k8s-master kube-scheduler: E0323 21:55:05.348590 15103 leaderelection.go:261] Failed to update lock: endpoints "kube-scheduler" is forbidden: not yet ready to handle request
Mar 23 21:55:05 k8s-master kube-apiserver: I0323 21:55:05.348231 15113 trace.go:61] Trace "Update /api/v1/namespaces/kube-system/endpoints/kube-scheduler" (started 2017-03-23 21:54:55.347565757 +0800 CST):
Mar 23 21:55:05 k8s-master kube-apiserver: [12.022µs] [12.022µs] About to convert to expected version
Mar 23 21:55:05 k8s-master kube-apiserver: [31.437µs] [19.415µs] Conversion done
Mar 23 21:55:05 k8s-master kube-apiserver: [35.075µs] [3.638µs] About to store object in database
Mar 23 21:55:05 k8s-master kube-apiserver: [10.000623643s] [10.000588568s] END
Mar 23 21:55:05 k8s-master kube-apiserver: E0323 21:55:05.494713 15113 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.LimitRange: Get https://localhost:6443/api/v1/limitranges?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:05 k8s-master kube-apiserver: I0323 21:55:05.494741 15113 logs.go:41] http: TLS handshake error from [::1]:55688: read tcp [::1]:6443->[::1]:55688: read: connection reset by peer
Mar 23 21:55:05 k8s-master kube-apiserver: E0323 21:55:05.494891 15113 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.Namespace: Get https://localhost:6443/api/v1/namespaces?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:05 k8s-master kube-apiserver: I0323 21:55:05.494909 15113 logs.go:41] http: TLS handshake error from [::1]:55689: read tcp [::1]:6443->[::1]:55689: read: connection reset by peer
Mar 23 21:55:06 k8s-master kube-apiserver: E0323 21:55:06.222917 15113 reflector.go:199] k8s.io/kubernetes/plugin/pkg/admission/resourcequota/resource_access.go:83: Failed to list *api.ResourceQuota: Get https://localhost:6443/api/v1/resourcequotas?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:06 k8s-master kube-apiserver: I0323 21:55:06.222974 15113 logs.go:41] http: TLS handshake error from [::1]:55690: read tcp [::1]:6443->[::1]:55690: read: connection reset by peer
Mar 23 21:55:06 k8s-master kube-apiserver: E0323 21:55:06.511313 15113 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.LimitRange: Get https://localhost:6443/api/v1/limitranges?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:06 k8s-master kube-apiserver: I0323 21:55:06.511345 15113 logs.go:41] http: TLS handshake error from [::1]:55691: read tcp [::1]:6443->[::1]:55691: read: connection reset by peer
Mar 23 21:55:06 k8s-master kube-apiserver: E0323 21:55:06.511499 15113 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.Namespace: Get https://localhost:6443/api/v1/namespaces?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:06 k8s-master kube-apiserver: I0323 21:55:06.511517 15113 logs.go:41] http: TLS handshake error from [::1]:55692: read tcp [::1]:6443->[::1]:55692: read: connection reset by peer
Mar 23 21:55:07 k8s-master kube-apiserver: E0323 21:55:07.230919 15113 reflector.go:199] k8s.io/kubernetes/plugin/pkg/admission/resourcequota/resource_access.go:83: Failed to list *api.ResourceQuota: Get https://localhost:6443/api/v1/resourcequotas?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:07 k8s-master kube-apiserver: I0323 21:55:07.230951 15113 logs.go:41] http: TLS handshake error from [::1]:55694: read tcp [::1]:6443->[::1]:55694: read: connection reset by peer
Mar 23 21:55:07 k8s-master kube-apiserver: E0323 21:55:07.524799 15113 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.LimitRange: Get https://localhost:6443/api/v1/limitranges?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:07 k8s-master kube-apiserver: I0323 21:55:07.524828 15113 logs.go:41] http: TLS handshake error from [::1]:55695: read tcp [::1]:6443->[::1]:55695: read: connection reset by peer
Mar 23 21:55:07 k8s-master kube-apiserver: E0323 21:55:07.524977 15113 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.Namespace: Get https://localhost:6443/api/v1/namespaces?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:07 k8s-master kube-apiserver: I0323 21:55:07.524995 15113 logs.go:41] http: TLS handshake error from [::1]:55696: read tcp [::1]:6443->[::1]:55696: read: connection reset by peer
I enable TLS on the apiserver, the start command is:
```bash
/usr/bin/kube-apiserver --logtostderr=true --v=0 --etcd-servers=http://centos-master:2379 --insecure-bind-address=0.0.0.0 --secure-port=6443 --insecure-port=8080 --kubelet-port=10250 --allow-privileged=false --service-cluster-ip-range=10.254.0.0/16 --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,SecurityContextDeny,ResourceQuota --runtime-config=authentication.k8s.io/v1beta1=true --authentication-token-webhook-config-file=/etc/kubernetes/webhook.yaml --tls-ca-file=/etc/kubernetes/ssl/rootCA.pem --tls-cert-file=/etc/kubernetes/ssl/master.crt --tls-private-key-file=/etc/kubernetes/ssl/master.key
```
Then, restart kube-apiserver, the api in https is good from the browser,but the logs in /var/log/messages keeping saying that "x509: certificate is valid for 10.0.8.107, not localhost". But why visit localhost?
Thanks!
Here's the logs:
Mar 23 21:55:05 k8s-master kube-apiserver: I0323 21:55:05.213252 15113 logs.go:41] http: TLS handshake error from [::1]:55687: read tcp [::1]:6443->[::1]:55687: read: connection reset by peer
Mar 23 21:55:05 k8s-master kube-scheduler: E0323 21:55:05.348590 15103 leaderelection.go:261] Failed to update lock: endpoints "kube-scheduler" is forbidden: not yet ready to handle request
Mar 23 21:55:05 k8s-master kube-apiserver: I0323 21:55:05.348231 15113 trace.go:61] Trace "Update /api/v1/namespaces/kube-system/endpoints/kube-scheduler" (started 2017-03-23 21:54:55.347565757 +0800 CST):
Mar 23 21:55:05 k8s-master kube-apiserver: [12.022µs] [12.022µs] About to convert to expected version
Mar 23 21:55:05 k8s-master kube-apiserver: [31.437µs] [19.415µs] Conversion done
Mar 23 21:55:05 k8s-master kube-apiserver: [35.075µs] [3.638µs] About to store object in database
Mar 23 21:55:05 k8s-master kube-apiserver: [10.000623643s] [10.000588568s] END
Mar 23 21:55:05 k8s-master kube-apiserver: E0323 21:55:05.494713 15113 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.LimitRange: Get https://localhost:6443/api/v1/limitranges?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:05 k8s-master kube-apiserver: I0323 21:55:05.494741 15113 logs.go:41] http: TLS handshake error from [::1]:55688: read tcp [::1]:6443->[::1]:55688: read: connection reset by peer
Mar 23 21:55:05 k8s-master kube-apiserver: E0323 21:55:05.494891 15113 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.Namespace: Get https://localhost:6443/api/v1/namespaces?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:05 k8s-master kube-apiserver: I0323 21:55:05.494909 15113 logs.go:41] http: TLS handshake error from [::1]:55689: read tcp [::1]:6443->[::1]:55689: read: connection reset by peer
Mar 23 21:55:06 k8s-master kube-apiserver: E0323 21:55:06.222917 15113 reflector.go:199] k8s.io/kubernetes/plugin/pkg/admission/resourcequota/resource_access.go:83: Failed to list *api.ResourceQuota: Get https://localhost:6443/api/v1/resourcequotas?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:06 k8s-master kube-apiserver: I0323 21:55:06.222974 15113 logs.go:41] http: TLS handshake error from [::1]:55690: read tcp [::1]:6443->[::1]:55690: read: connection reset by peer
Mar 23 21:55:06 k8s-master kube-apiserver: E0323 21:55:06.511313 15113 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.LimitRange: Get https://localhost:6443/api/v1/limitranges?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:06 k8s-master kube-apiserver: I0323 21:55:06.511345 15113 logs.go:41] http: TLS handshake error from [::1]:55691: read tcp [::1]:6443->[::1]:55691: read: connection reset by peer
Mar 23 21:55:06 k8s-master kube-apiserver: E0323 21:55:06.511499 15113 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.Namespace: Get https://localhost:6443/api/v1/namespaces?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:06 k8s-master kube-apiserver: I0323 21:55:06.511517 15113 logs.go:41] http: TLS handshake error from [::1]:55692: read tcp [::1]:6443->[::1]:55692: read: connection reset by peer
Mar 23 21:55:07 k8s-master kube-apiserver: E0323 21:55:07.230919 15113 reflector.go:199] k8s.io/kubernetes/plugin/pkg/admission/resourcequota/resource_access.go:83: Failed to list *api.ResourceQuota: Get https://localhost:6443/api/v1/resourcequotas?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:07 k8s-master kube-apiserver: I0323 21:55:07.230951 15113 logs.go:41] http: TLS handshake error from [::1]:55694: read tcp [::1]:6443->[::1]:55694: read: connection reset by peer
Mar 23 21:55:07 k8s-master kube-apiserver: E0323 21:55:07.524799 15113 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.LimitRange: Get https://localhost:6443/api/v1/limitranges?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:07 k8s-master kube-apiserver: I0323 21:55:07.524828 15113 logs.go:41] http: TLS handshake error from [::1]:55695: read tcp [::1]:6443->[::1]:55695: read: connection reset by peer
Mar 23 21:55:07 k8s-master kube-apiserver: E0323 21:55:07.524977 15113 reflector.go:199] pkg/controller/informers/factory.go:89: Failed to list *api.Namespace: Get https://localhost:6443/api/v1/namespaces?resourceVersion=0: x509: certificate is valid for 10.0.8.107, not localhost
Mar 23 21:55:07 k8s-master kube-apiserver: I0323 21:55:07.524995 15113 logs.go:41] http: TLS handshake error from [::1]:55696: read tcp [::1]:6443->[::1]:55696: read: connection reset by peer
Adieu
Mar 23, 2017, 9:47:11 AM3/23/17
to kubernet...@googlegroups.com
> Then, restart kube-apiserver, the api in https is good from the browser,but the logs in /var/log/messages keeping saying that "x509: certificate is valid for 10.0.8.107, not localhost". But why visit localhost?
>
Could you post your kubulet settings? Looks like that some application
>
is visiting your apiserver using localhost as the hostname.
Winston
Mar 24, 2017, 1:32:17 AM3/24/17
to Kubernetes user discussion and Q&A
I just figured it out, the config "--bind-address" must be specified as a meaning IP address, or the default value "0.0.0.0" will cause the visit to "https://localhost:6443/".
在 2017年3月23日星期四 UTC+8下午9:47:11,Ivan Diao写道:
Thanks!
在 2017年3月23日星期四 UTC+8下午9:47:11,Ivan Diao写道:
Reply all
Reply to author
Forward
0 new messages