Kubernetes authentication with certificate

0 votes

I’m trying to authenticate with a locally hosted kubernetes cluster using a certificate.

These are the steps I’m doing

  1. Convert the client certificate to PKCS:
  2. $ sudo openssl pkcs12 -export -out kubernetes.pfx -inkey /etc/kubernetes/pki/apiserver.key -in /etc/kubernetes/pki/apiserver.crt -certfile /etc/kubernetes/pki/ca.crt -passout pass:jenkins
  3. In Jenkins, create credentials using a certificate
    1. Kind: Certificate
    2. Certificate: Upload PKCS#12 certificate and upload file kubernetes.pfx
    3. Password: jenkins (as specified during certificate creation)
  4. Manage Jenkins -> Add new cloud -> Kubernetes
    1. Kubernetes URL: https://10.179.1.121:6443 (as output by kubectl config view)
    2. Kubernetes server certificate key: paste the contents of /etc/kubernetes/pki/ca.crt.
    3. Disable https certificate check: checked because the test setup does not have a signed certificate
    4. Kubernetes Namespace: tried both default and kubernetes-plugin
    5. Credentials: CN=kube-apiserver (i.e. the credentials created above)

Now when I click on Test Connection, this is the error message shown in the Jenkins Web UI:

Error connecting to https://10.179.1.121:6443: Failure executing: GET at: https://10.179.1.121:6443/api/v1/namespaces/kubernetes-plugin/pods. Message: Unauthorized.

The Jenkins logs show this message:

Sep 05, 2017 10:22:03 AM io.fabric8.kubernetes.client.Config tryServiceAccount

WARNING: Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring.

Whats the issue?

Aug 27, 2018 in Docker by lina
• 8,220 points
2,245 views

1 answer to this question.

0 votes

The Jenkins error log warning message indicates that the key used to encrypt ServiceAccount tokens is different in kube-apiserver (--service-account-key-file) and kube-controller-manager (--service-account-private-key-file). If your kube-apiserver command-line doesn't specify --service-account-key-file then the value of --tls-private-key-file is used.

Its always better to explicitly set kube-apiserver --service-account-key-file to match the kube-controller-manager --service-account-private-key-file value.

answered Aug 27, 2018 by Kalgi
• 52,350 points

Related Questions In Docker

0 votes
0 answers

x509: certificate signed by unknown authority - both with docker and with github

Used the below command for build- docker build ...READ MORE

Apr 21, 2022 in Docker by pranav
• 2,580 points
970 views
0 votes
1 answer

build an J2EE application with docker

I would suggest you to use volume ...READ MORE

answered May 1, 2018 in Docker by shubham
• 7,340 points
363 views
0 votes
1 answer

Docker ports are working on the localhost but not with public ip

Probably, the reason is that you've included ...READ MORE

answered Jun 12, 2018 in Docker by Damon Salvatore
• 5,980 points

edited Oct 15, 2018 by Kalgi 3,195 views
+1 vote
1 answer
0 votes
3 answers

Error while joining cluster with node

Hi Kalgi after following above steps it ...READ MORE

answered Jan 17, 2019 in Others by anonymous
12,889 views
+4 votes
1 answer

Installing Web UI (Dashboard):kubernetes-dashboard on main Ubuntu 16.04.6 LTS (Xenial Xerus) server

Follow these steps: $ kubeadm reset $ kubeadm init ...READ MORE

answered Apr 12, 2019 in Kubernetes by Kalgi
• 52,350 points

reshown Apr 12, 2019 by Kalgi 4,302 views
0 votes
1 answer

docker unauthorized: authentication required - upon push with successful login

I also had the same issue.This is ...READ MORE

answered Jul 31, 2018 in Docker by Kalgi
• 52,350 points
5,917 views
0 votes
1 answer

How can I expose more than 1 port with Docker?

To expose just one port, this is ...READ MORE

answered Jul 25, 2018 in Docker by Kalgi
• 52,350 points
342 views
webinar REGISTER FOR FREE WEBINAR X
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP