Kubeadm: Certificate issues with kubeadm init

Created on 18 Jan 2019  路  9Comments  路  Source: kubernetes/kubeadm

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Versions

kubeadm version (use kubeadm version): "v1.13.2"

Environment:

  • Kubernetes version (use kubectl version): "v1.13.2"
  • Cloud provider or hardware configuration: None
  • OS (e.g. from /etc/os-release): CentOS 7.6
  • Kernel (e.g. uname -a): 3.10.0-957.1.3.0.1.el7.x86_64
  • Others:

What happened?

Unable to get a kubectl working with the cluster set up with kubeadm init. kubeadm init executes successfully.

I have tried to follow the Troubleshooting guide regarding copying admin.conf to user home as conf but always end up with -- x509: certificate signed by unknown authority.

kubeadm token list
failed to list bootstrap tokens: Get https://10.176.15.137:6443/api/v1/namespaces/kube-failed to list bootstrap tokens: Get https://10.176.15.137:6443/api/v1/namespaces/kube-system/secrets?fieldSelector=type%3Dbootstrap.kubernetes.io%2Ftoken: x509: certificate signed by unknown authority

sudo kubeadm token list works as expected.
TOKEN TTL EXPIRES USAGES DESCRIPTION EXTRA GROUPS
* 19h 2019-01-18T13:45:05-08:00 authentication,signing The default bootstrap token generated by 'kubeadm init'. system:bootstrappers:kubeadm:default-node-token

kubeadm token list as root user fails.

What you expected to happen?

Get the cluster up and running.

How to reproduce it (as minimally and precisely as possible)?

Followed the guide: https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm

Anything else we need to know?

I am trying to get a single master Kubernetes cluster up and running on a few VMs on GCP.

kinsupport prioritawaiting-more-evidence
Source
picture aashish-sheshadri

Most helpful comment

Folks, never set your kube config permissions to 777. 0600 should be enough, anything else is a potential security risk (with 777 definitely one).

picture rosti on 21 Jan 2019
👍3 👀1

All 9 comments

@aashish-sheshadri
If kubeadm token list doesn't works but sudo kubeadm token list works, it means that the admin.conf file is not available for the current user.

copying admin.conf to user home as conf

The target name should be $HOME/.kube/config as documented

fabriziopandini picture fabriziopandini on 18 Jan 2019

@fabriziopandini Thanks for your response. I have followed the steps to copy over the admin.conf to $HOME/.kube/config.

More info:
After kubeadm init
kubeadm token list

failed to load admin kubeconfig: open /etc/kubernetes/admin.conf: permission denied

sudo kubeadm token list
works as expected

After running:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

failed to list bootstrap tokens: Get https://10.176.15.137:6443/api/v1/namespaces/kube-system/secrets?fieldSelector=type%3Dbootstrap.kubernetes.io%2Ftoken: x509: certificate signed by unknown authority

aashish-sheshadri picture aashish-sheshadri on 18 Jan 2019

try kubeadm token list --kubeconfig=$HOME/.kube/config

foxyriver picture foxyriver on 21 Jan 2019

@foxyriver
kubeadm token list --kubeconfig=$HOME/.kube/config

failed to list bootstrap tokens: Get https://10.176.15.137:6443/api/v1/namespaces/kube-system/secrets?fieldSelector=type%3Dbootstrap.kubernetes.io%2Ftoken: x509: certificate signed by unknown authority

But, sudo kubeadm token list --kubeconfig=$HOME/.kube/config works fine. I also deleted /etc/kubernetes/admin.conf.

aashish-sheshadri picture aashish-sheshadri on 21 Jan 2019

@aashish-sheshadri
make sure your $HOME/.kube/config file has the read authority by non root user, if not, try this

sudo chmod 777 $HOME/.kube/config
kubeadm token list --kubeconfig=$HOME/.kube/config
foxyriver picture foxyriver on 21 Jan 2019

Folks, never set your kube config permissions to 777. 0600 should be enough, anything else is a potential security risk (with 777 definitely one).

rosti picture rosti on 21 Jan 2019
👍3 👀1

@rosti you are right, the user only need read/write permissions is enough:)

foxyriver picture foxyriver on 21 Jan 2019

@foxyriver @rosti Any ideas why am unable to list tokens without sudo. I am unable to configure kubectl at all, sudo or not. I get the same error x509: certificate signed by unknown authority.

It seems like its more that being able to read .kube/config. Any pointers will be helpful.

aashish-sheshadri picture aashish-sheshadri on 22 Jan 2019

This isn't a kubeadm issue, but a user permissions issue.

timothysc picture timothysc on 26 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mattmoyer picture mattmoyer  路  4Comments
jbrandes picture jbrandes  路  4Comments
helphi picture helphi  路  3Comments
bruceauyeung picture bruceauyeung  路  4Comments
atoato88 picture atoato88  路  4Comments