Kubernetes authentication with certificate

0 votes

I’m trying to authenticate with a locally hosted kubernetes cluster using a certificate.

These are the steps I’m doing

  1. Convert the client certificate to PKCS:
  2. $ sudo openssl pkcs12 -export -out kubernetes.pfx -inkey /etc/kubernetes/pki/apiserver.key -in /etc/kubernetes/pki/apiserver.crt -certfile /etc/kubernetes/pki/ca.crt -passout pass:jenkins
  3. In Jenkins, create credentials using a certificate
    1. Kind: Certificate
    2. Certificate: Upload PKCS#12 certificate and upload file kubernetes.pfx
    3. Password: jenkins (as specified during certificate creation)
  4. Manage Jenkins -> Add new cloud -> Kubernetes
    1. Kubernetes URL: https://10.179.1.121:6443 (as output by kubectl config view)
    2. Kubernetes server certificate key: paste the contents of /etc/kubernetes/pki/ca.crt.
    3. Disable https certificate check: checked because the test setup does not have a signed certificate
    4. Kubernetes Namespace: tried both default and kubernetes-plugin
    5. Credentials: CN=kube-apiserver (i.e. the credentials created above)

Now when I click on Test Connection, this is the error message shown in the Jenkins Web UI:

Error connecting to https://10.179.1.121:6443: Failure executing: GET at: https://10.179.1.121:6443/api/v1/namespaces/kubernetes-plugin/pods. Message: Unauthorized.

The Jenkins logs show this message:

Sep 05, 2017 10:22:03 AM io.fabric8.kubernetes.client.Config tryServiceAccount

WARNING: Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring.

Whats the issue?

Aug 27, 2018 in Docker by lina
• 8,100 points
188 views

1 answer to this question.

0 votes

The Jenkins error log warning message indicates that the key used to encrypt ServiceAccount tokens is different in kube-apiserver (--service-account-key-file) and kube-controller-manager (--service-account-private-key-file). If your kube-apiserver command-line doesn't specify --service-account-key-file then the value of --tls-private-key-file is used.

Its always better to explicitly set kube-apiserver --service-account-key-file to match the kube-controller-manager --service-account-private-key-file value.

answered Aug 27, 2018 by Kalgi
• 37,320 points

Related Questions In Docker

0 votes
1 answer

build an J2EE application with docker

I would suggest you to use volume ...READ MORE

answered May 1, 2018 in Docker by shubham
• 6,870 points
34 views
0 votes
1 answer

Docker ports are working on the localhost but not with public ip

Probably, the reason is that you've included ...READ MORE

answered Jun 12, 2018 in Docker by Damon Salvatore
• 5,490 points

edited Oct 15, 2018 by Kalgi 227 views
0 votes
1 answer

Isolate PHP applications with Docker

Here is what you can try. You ...READ MORE

answered Jul 6, 2018 in Docker by Atul
• 10,240 points
38 views
0 votes
1 answer
0 votes
3 answers

Error while joining cluster with node

Hi Kalgi after following above steps it ...READ MORE

answered Jan 17 in Others by anonymous
1,103 views
+3 votes
1 answer
0 votes
1 answer

docker unauthorized: authentication required - upon push with successful login

I also had the same issue.This is ...READ MORE

answered Jul 31, 2018 in Docker by Kalgi
• 37,320 points
536 views
0 votes
1 answer

How can I expose more than 1 port with Docker?

To expose just one port, this is ...READ MORE

answered Jul 25, 2018 in Docker by Kalgi
• 37,320 points
24 views