Question

I’m trying to authenticate with a locally hosted kubernetes cluster using a certificate.

These are the steps I’m doing

1. Convert the client certificate to PKCS:
2. $ sudo openssl pkcs12 -export -out kubernetes.pfx -inkey /etc/kubernetes/pki/apiserver.key -in /etc/kubernetes/pki/apiserver.crt -certfile /etc/kubernetes/pki/ca.crt -passout pass:jenkins
3. In Jenkins, create credentials using a certificate
   1. Kind: Certificate
   2. Certificate: Upload PKCS#12 certificate and upload file kubernetes.pfx
   3. Password: jenkins (as specified during certificate creation)
4. Manage Jenkins -> Add new cloud -> Kubernetes
   1. Kubernetes URL: https://10.179.1.121:6443 (as output by kubectl config view)
   2. Kubernetes server certificate key: paste the contents of /etc/kubernetes/pki/ca.crt.
   3. Disable https certificate check: checked because the test setup does not have a signed certificate
   4. Kubernetes Namespace: tried both default and kubernetes-plugin
   5. Credentials: CN=kube-apiserver (i.e. the credentials created above)

Now when I click on Test Connection, this is the error message shown in the Jenkins Web UI:

Error connecting to https://10.179.1.121:6443: Failure executing: GET at: https://10.179.1.121:6443/api/v1/namespaces/kubernetes-plugin/pods. Message: Unauthorized.

The Jenkins logs show this message:

Sep 05, 2017 10:22:03 AM io.fabric8.kubernetes.client.Config tryServiceAccount

WARNING: Error reading service account token from: [/var/run/secrets/kubernetes.io/serviceaccount/token]. Ignoring.

Whats the issue?

Answer 1

The Jenkins error log warning message indicates that the key used to encrypt ServiceAccount tokens is different in kube-apiserver (--service-account-key-file) and kube-controller-manager (--service-account-private-key-file). If your kube-apiserver command-line doesn't specify --service-account-key-file then the value of --tls-private-key-file is used.

Its always better to explicitly set kube-apiserver --service-account-key-file to match the kube-controller-manager --service-account-private-key-file value.

Ready to master the future of cloud computing? Enroll now in our Kubernetes Certification! Gain hands-on expertise in container orchestration, scale applications effortlessly, and streamline deployment workflows with Kubernetes.