Hi,
I am trying to use kubelet-rubber-stamp, but encountered a problem.
The kubelet is configured to create a CSR for it's serving certificate and I can see the CSR in kubernetes.
Kubelet-rubber-stamp however does not accept the CSRs. In It's logs I see a lot of:
Reconciling CertificateSigningRequest /csr-2tb49
W0717 12:47:34.888280 1 certificatesigningrequest_controller.go:148] csr csr-2tb49 not recognized as kubelet serving csr, tried: [certificatesigningrequests]
with no further explaination why it was not recognized.
Below is the CSR resource and the decoded CSR:
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
creationTimestamp: "2020-07-17T12:28:35Z"
generateName: csr-
name: csr-2tb49
resourceVersion: "9756"
selfLink: /apis/certificates.k8s.io/v1beta1/certificatesigningrequests/csr-2tb49
uid: 5aff267c-4429-4337-818c-4aba78cfe381
spec:
groups:
- system:nodes
- system:authenticated
request: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0KTUlJQkp6Q0J6Z0lCQURCRU1SVXdFd1lEVlFRS0V3eHplWE4wWlcwNmJtOWtaWE14S3pBcEJnTlZCQU1USW5ONQpjM1JsYlRwdWIyUmxPbU5wY3kxMFpYTjBMV3QxWW1VdGJXRnpkR1Z5TFRBd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxCmhrak9QUU1CQndOQ0FBUjhuazd6K1ZyM2dHZk9hRkRoSFUrZ1JpNnN6OEtpUDRQMGNWcHpYZ2o0eWhSUExDbncKL1Fzc3JnWGpMS0RFUUtRVC9pQVRIczlIQm14VFBtNnlDQk9sb0Nnd0pnWUpLb1pJaHZjTkFRa09NUmt3RnpBVgpCZ05WSFJFRURqQU1od1FMMlNRamh3VEFxQU1GTUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDSVFEaFZsbmdrYnZCCkRoYTIxQkdoUlFNOFFkUFZlWW9aRXhId1hOSWNSaG5nQ2dJZ1h4eXFUc3l6QmlScGdyTU1zTk0xeUpCUjcyZTMKWHk0bjB6bGpOVi9JcWVRPQotLS0tLUVORCBDRVJUSUZJQ0FURSBSRVFVRVNULS0tLS0K
usages:
- digital signature
- key encipherment
- server auth
username: system:node:cis-test-kube-master-0
status: {}
Certificate Request:
Data:
Version: 1 (0x0)
Subject: O = system:nodes, CN = system:node:cis-test-kube-master-0
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:7c:9e:4e:f3:f9:5a:f7:80:67:ce:68:50:e1:1d:
4f:a0:46:2e:ac:cf:c2:a2:3f:83:f4:71:5a:73:5e:
08:f8:ca:14:4f:2c:29:f0:fd:0b:2c:ae:05:e3:2c:
a0:c4:40:a4:13:fe:20:13:1e:cf:47:06:6c:53:3e:
6e:b2:08:13:a5
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:11.217.36.35, IP Address:192.168.3.5
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:e1:56:59:e0:91:bb:c1:0e:16:b6:d4:11:a1:
45:03:3c:41:d3:d5:79:8a:19:13:11:f0:5c:d2:1c:46:19:e0:
0a:02:20:5f:1c:aa:4e:cc:b3:06:24:69:82:b3:0c:b0:d3:35:
c8:90:51:ef:67:b7:5f:2e:27:d3:39:63:35:5f:c8:a9:e4
These look about right to me.
I am using Kubernetes 1.16.13.
As there are no log-messages what exactly is wrong with the CSR and there is only one check that does not print a message on failure, I suspect this here is the problem: https://github.com/kontena/kubelet-rubber-stamp/blob/master/pkg/controller/certificatesigningrequest/helpers.go#L76
The question remains, why is my kubelet creating "invalid" CSRs? Has it something to do with the kubernetes version I use?
Hi,
I am trying to use kubelet-rubber-stamp, but encountered a problem.
The kubelet is configured to create a CSR for it's serving certificate and I can see the CSR in kubernetes.
Kubelet-rubber-stamp however does not accept the CSRs. In It's logs I see a lot of:
with no further explaination why it was not recognized.
Below is the CSR resource and the decoded CSR:
These look about right to me.
I am using Kubernetes 1.16.13.
As there are no log-messages what exactly is wrong with the CSR and there is only one check that does not print a message on failure, I suspect this here is the problem: https://github.com/kontena/kubelet-rubber-stamp/blob/master/pkg/controller/certificatesigningrequest/helpers.go#L76
The question remains, why is my kubelet creating "invalid" CSRs? Has it something to do with the kubernetes version I use?