Kubernetes authentication with certificate

0 votes

I’m trying to authenticate with a locally hosted kubernetes cluster using a certificate.

These are the steps I’m doing

  1. Convert the client certificate to PKCS:
  2. $ sudo openssl pkcs12 -export -out kubernetes.pfx -inkey /etc/kubernetes/pki/apiserver.key -in /etc/kubernetes/pki/apiserver.crt -certfile /etc/kubernetes/pki/ca.crt -passout pass:jenkins
  3. In Jenkins, create credentials using a certificate
    1. Kind: Certificate
    2. Certificate: Upload PKCS#12 certificate and upload file kubernetes.pfx
    3. Password: jenkins (as specified during certificate creation)
  4. Manage Jenkins -> Add new cloud -> Kubernetes
    1. Kubernetes URL: https://10.179.1.121:6443 (as output by kubectl config view)
    2. Kubernetes server certificate key: paste the contents of /etc/kubernetes/pki/ca.crt.
    3. Disable https certificate check: checked because the test setup does not have a signed certificate
    4. Kubernetes Namespace: tried both default and kubernetes-plugin
    5. Credentials: CN=kube-apiserver (i.e. the credentials created above)

Now when I click on Test Connection, this is the error message shown in the Jenkins Web UI:

Error connecting to https://10.179.1.121:6443: Failure executing: GET at: https://10.179.1.121:6443/api/v1/namespaces/kubernetes-plugin/pods. Message: Unauthorized.

The Jenkins logs show this message:

Sep 05, 2017 10:22:03 AM io.fabric8.kubernetes.client.Config tryServiceAccount

WARNING: Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring.

Whats the issue?

Aug 27, 2018 in Docker by lina
• 8,220 points
2,028 views

1 answer to this question.

0 votes

The Jenkins error log warning message indicates that the key used to encrypt ServiceAccount tokens is different in kube-apiserver (--service-account-key-file) and kube-controller-manager (--service-account-private-key-file). If your kube-apiserver command-line doesn't specify --service-account-key-file then the value of --tls-private-key-file is used.

Its always better to explicitly set kube-apiserver --service-account-key-file to match the kube-controller-manager --service-account-private-key-file value.

answered Aug 27, 2018 by Kalgi
• 52,350 points

Related Questions In Docker

0 votes
0 answers

x509: certificate signed by unknown authority - both with docker and with github

Used the below command for build- docker build ...READ MORE

Apr 21 in Docker by pranav
• 2,320 points
115 views
0 votes
1 answer

build an J2EE application with docker

I would suggest you to use volume ...READ MORE

answered May 1, 2018 in Docker by shubham
• 7,320 points
269 views
0 votes
1 answer

Docker ports are working on the localhost but not with public ip

Probably, the reason is that you've included ...READ MORE

answered Jun 12, 2018 in Docker by Damon Salvatore
• 5,980 points

edited Oct 15, 2018 by Kalgi 2,860 views
+1 vote
1 answer
0 votes
3 answers

Error while joining cluster with node

Hi Kalgi after following above steps it ...READ MORE

answered Jan 17, 2019 in Others by anonymous
12,056 views
+4 votes
1 answer

Installing Web UI (Dashboard):kubernetes-dashboard on main Ubuntu 16.04.6 LTS (Xenial Xerus) server

Follow these steps: $ kubeadm reset $ kubeadm init ...READ MORE

answered Apr 12, 2019 in Kubernetes by Kalgi
• 52,350 points

reshown Apr 12, 2019 by Kalgi 3,851 views
0 votes
1 answer

docker unauthorized: authentication required - upon push with successful login

I also had the same issue.This is ...READ MORE

answered Jul 31, 2018 in Docker by Kalgi
• 52,350 points
5,349 views
0 votes
1 answer

How can I expose more than 1 port with Docker?

To expose just one port, this is ...READ MORE

answered Jul 25, 2018 in Docker by Kalgi
• 52,350 points
242 views
webinar REGISTER FOR FREE WEBINAR X
Send OTP
REGISTER NOW
webinar_success Thank you for registering Join Edureka Meetup community for 100+ Free Webinars each month JOIN MEETUP GROUP