Kubernetes authentication with certificate

0 votes

I’m trying to authenticate with a locally hosted kubernetes cluster using a certificate.

These are the steps I’m doing

  1. Convert the client certificate to PKCS:
  2. $ sudo openssl pkcs12 -export -out kubernetes.pfx -inkey /etc/kubernetes/pki/apiserver.key -in /etc/kubernetes/pki/apiserver.crt -certfile /etc/kubernetes/pki/ca.crt -passout pass:jenkins
  3. In Jenkins, create credentials using a certificate
    1. Kind: Certificate
    2. Certificate: Upload PKCS#12 certificate and upload file kubernetes.pfx
    3. Password: jenkins (as specified during certificate creation)
  4. Manage Jenkins -> Add new cloud -> Kubernetes
    1. Kubernetes URL: https://10.179.1.121:6443 (as output by kubectl config view)
    2. Kubernetes server certificate key: paste the contents of /etc/kubernetes/pki/ca.crt.
    3. Disable https certificate check: checked because the test setup does not have a signed certificate
    4. Kubernetes Namespace: tried both default and kubernetes-plugin
    5. Credentials: CN=kube-apiserver (i.e. the credentials created above)

Now when I click on Test Connection, this is the error message shown in the Jenkins Web UI:

Error connecting to https://10.179.1.121:6443: Failure executing: GET at: https://10.179.1.121:6443/api/v1/namespaces/kubernetes-plugin/pods. Message: Unauthorized.

The Jenkins logs show this message:

Sep 05, 2017 10:22:03 AM io.fabric8.kubernetes.client.Config tryServiceAccount

WARNING: Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring.

Whats the issue?

Aug 27, 2018 in Docker by lina
• 8,100 points
119 views

1 answer to this question.

Your answer

Your name to display (optional):
Privacy: Your email address will only be used for sending these notifications.
0 votes

The Jenkins error log warning message indicates that the key used to encrypt ServiceAccount tokens is different in kube-apiserver (--service-account-key-file) and kube-controller-manager (--service-account-private-key-file). If your kube-apiserver command-line doesn't specify --service-account-key-file then the value of --tls-private-key-file is used.

Its always better to explicitly set kube-apiserver --service-account-key-file to match the kube-controller-manager --service-account-private-key-file value.

answered Aug 27, 2018 by Kalgi
• 35,640 points

Related Questions In Docker

0 votes
1 answer

build an J2EE application with docker

I would suggest you to use volume ...READ MORE

answered May 1, 2018 in Docker by shubham
• 6,480 points
30 views
0 votes
1 answer

Docker ports are working on the localhost but not with public ip

Probably, the reason is that you've included ...READ MORE

answered Jun 12, 2018 in Docker by Damon Salvatore
• 5,250 points

edited Oct 15, 2018 by Kalgi 164 views
0 votes
1 answer

Isolate PHP applications with Docker

Here is what you can try. You ...READ MORE

answered Jul 6, 2018 in Docker by Atul
• 10,170 points
27 views
0 votes
1 answer
0 votes
3 answers

Error while joining cluster with node

Hi Kalgi after following above steps it ...READ MORE

answered Jan 17 in Others by anonymous
434 views
+3 votes
1 answer
0 votes
1 answer

docker unauthorized: authentication required - upon push with successful login

I also had the same issue.This is ...READ MORE

answered Jul 31, 2018 in Docker by Kalgi
• 35,640 points
353 views
0 votes
1 answer

How can I expose more than 1 port with Docker?

To expose just one port, this is ...READ MORE

answered Jul 25, 2018 in Docker by Kalgi
• 35,640 points
20 views

© 2018 Brain4ce Education Solutions Pvt. Ltd. All rights Reserved.
"PMP®","PMI®", "PMI-ACP®" and "PMBOK®" are registered marks of the Project Management Institute, Inc. MongoDB®, Mongo and the leaf logo are the registered trademarks of MongoDB, Inc.