1. Identify the certificate file used for the kube-api server.
controlplane ~ ➜ ps -ef | grep kube-api | grep crt
root 3784 3284 0 13:27 ? 00:00:15
kube-apiserver --advertise-address=192.32.124.3 --allow-privileged=true --authorization-mode=Node,RBAC \
--client-ca-file=/etc/kubernetes/pki/ca.crt \
...
--tls-cert-file=/etc/kubernetes/pki/apiserver.crt \ # tls-cert-filㄷ -> 인증서 정보
--tls-private-key-file=/etc/kubernetes/pki/apiserver.key
answer : /etc/kubernetes/pki/apiserver.crt
2. dentify the Certificate file used to authenticate kube-apiserver as a client to ETCD Server.
# vi /etc/kubernetes/manifests/kube-apiserver.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 192.32.124.3:6443
creationTimestamp: null
labels:
component: kube-apiserver
tier: control-plane
name: kube-apiserver
namespace: kube-system
spec:
containers:
- command:
- kube-apiserver
- --advertise-address=192.32.124.3
- --allow-privileged=true
- --authorization-mode=Node,RBAC
- --client-ca-file=/etc/kubernetes/pki/ca.crt
- --enable-admission-plugins=NodeRestriction
- --enable-bootstrap-token-auth=true
- --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
- --etcd-servers=https://127.0.0.1:2379
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
- --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
- --requestheader-allowed-names=front-proxy-client
- --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --requestheader-group-headers=X-Remote-Group
- --requestheader-username-headers=X-Remote-User
- --secure-port=6443
- --service-account-issuer=https://kubernetes.default.svc.cluster.local
- --service-account-key-file=/etc/kubernetes/pki/sa.pub
- --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
- --service-cluster-ip-range=10.96.0.0/12
- --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
image: registry.k8s.io/kube-apiserver:v1.30.0
...
answer : /etc/kubernetes/pki/apiserver-etcd-client.crt
3. Identify the key used to authenticate kubeapi-server to the kubelet server.
kubelet server 에 대한 인증키 -> --kubelet-client-certificate
answer : /etc/kubernetes/pki/apiserver-kubelet-client.crt
4. Identify the ETCD Server Certificate used to host ETCD server.
controlplane ~ ➜ vi /etc/kubernetes/manifests/etcd.yaml
...
- command:
- etcd
- --advertise-client-urls=https://192.32.124.3:2379
- --cert-file=/etc/kubernetes/pki/etcd/server.crt
- --client-cert-auth=true
- --data-dir=/var/lib/etcd
- --experimental-initial-corrupt-check=true
- --experimental-watch-progress-notify-interval=5s
- --initial-advertise-peer-urls=https://192.32.124.3:2380
- --initial-cluster=controlplane=https://192.32.124.3:2380
- --key-file=/etc/kubernetes/pki/etcd/server.key
- --listen-client-urls=https://127.0.0.1:2379,https://192.32.124.3:2379
- --listen-metrics-urls=http://127.0.0.1:2381
- --listen-peer-urls=https://192.32.124.3:2380
- --name=controlplane
- --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt
- --peer-client-cert-auth=true
- --peer-key-file=/etc/kubernetes/pki/etcd/peer.key
- --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
- --snapshot-count=10000
...
answer : /etc/kubernetes/pki/etcd/server.crt
5. Identify the ETCD Server CA Root Certificate used to serve ETCD Server.
ETCD can have its own CA. So this may be a different CA certificate than the one used by kube-api server.
answer : /etc/kubernetes/pki/etcd/ca.crt
6. What is the Common Name (CN) configured on the Kube API Server Certificate?
OpenSSL Syntax: openssl x509 -in file-path.crt -text -noout
controlplane ~ ✖ openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6530373879827962648 (0x5aa08c71bda29b18)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Jul 16 13:22:30 2024 GMT
Not After : Jul 16 13:27:30 2025 GMT
Subject: CN = kube-apiserver
...- > subject CN : kube-apiserver
answer : kube-apiserver
7. What is the name of the CA who issued the Kube API Server Certificate?
issuer
answer : kubernetes
8. Which of the below alternate names is not configured on the Kube API Server Certificate?
X509v3 Subject Alternative Name:
DNS:controlplane,
DNS:kubernetes,
DNS:kubernetes.default,
DNS:kubernetes.default.svc,
DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.32.124.3
answer : kube-master
9. What is the Common Name (CN) configured on the ETCD Server certificate?
controlplane ~ ➜ openssl x509 -in /etc/kubernetes/pki/etcd/server.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 8758906623532173180 (0x798de32adc73877c)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = etcd-ca
Validity
Not Before: Jul 16 13:22:31 2024 GMT
Not After : Jul 16 13:27:31 2025 GMT
Subject: CN = controlplane
answer : controlplane
10. How long, from the issued date, is the kube-api Certificate valid for?
File: /etc/kubernetes/pki/ca.crt
controlplane ~ ➜ openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6530373879827962648 (0x5aa08c71bda29b18)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Jul 16 13:22:30 2024 GMT
Not After : Jul 16 13:27:30 2025 GMT
answer : 1 years
11. How long, from the issued date, is the Root CA Certificate valid for?
File: /etc/kubernetes/pki/ca.crt
controlplane ~ ➜ openssl x509 -in /etc/kubernetes/pki/ca.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2759727977832224731 (0x264c85f9636597db)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes
Validity
Not Before: Jul 16 13:22:30 2024 GMT
Not After : Jul 14 13:27:30 2034 GMT
Subject: CN = kubernetes
answer : 10 years
12. Kubectl suddenly stops responding to your commands. Check it out! Someone recently modified the /etc/kubernetes/manifests/etcd.yaml file
You are asked to investigate and fix the issue. Once you fix the issue wait for sometime for kubectl to respond. Check the logs of the ETCD container.
controlplane ~ ✖ ls -l /etc/kubernetes/pki/etcd/server* | grep .crt
-rw-r--r-- 1 root root 1208 Jul 16 13:27 /etc/kubernetes/pki/etcd/server.crt
controlplane ~ ➜ vi /etc/kubernetes/manifests/etcd.yaml
apiVersion: v1
kind: Pod
metadata:
annotations:
kubeadm.kubernetes.io/etcd.advertise-client-urls: https://192.32.124.3:2379
creationTimestamp: null
labels:
component: etcd
tier: control-plane
name: etcd
namespace: kube-system
spec:
containers:
- command:
- etcd
- --advertise-client-urls=https://192.32.124.3:2379
- --cert-file=/etc/kubernetes/pki/etcd/server-certificate.crt # -> 변경 /etc/kubernetes/pki/etcd/server.crt
- --client-cert-auth=true
- --data-dir=/var/lib/etcd
- --experimental-initial-corrupt-check=true
- --experimental-watch-progress-notify-interval=5s
변경후 kube-api 재기동 될때까지 대기..
13. The kube-api server stopped again! Check it out. Inspect the kube-api server logs and identify the root cause and fix the issue.
Run crictl ps -a command to identify the kube-api server container. Run crictl logs container-id command to view the logs.
https://kubernetes.io/docs/tasks/debug/debug-cluster/crictl/#list-containers
Debugging Kubernetes nodes with crictl
FEATURE STATE: Kubernetes v1.11 [stable] crictl is a command-line interface for CRI-compatible container runtimes. You can use it to inspect and debug container runtimes and applications on a Kubernetes node. crictl and its source are hosted in the cri-too
kubernetes.io
controlplane ~ ➜ crictl ps -a | grep kube-apiserver
910fd953d38b6 c42f13656d0b2 21 seconds ago Exited kube-apiserver 5 e162f54baca73 kube-apiserver-controlplane
127e9e46b1f23 c42f13656d0b2 2 minutes ago Exited kube-apiserver 4 e162f54baca73 kube-apiserver-controlplane
controlplane ~ ➜ crictl ps -a | grep kube-apiserver
910fd953d38b6 c42f13656d0b2 27 seconds ago Exited kube-apiserver 5 e162f54baca73 kube-apiserver-controlplane
controlplane ~ ✖ crictl logs --tail=2 910fd953d38b6
W0716 14:09:45.900657 1 logging.go:59] [core] [Channel #5 SubChannel #6] grpc: addrConn.createTransport failed to connect to {Addr: "127.0.0.1:2379", ServerName: "127.0.0.1:2379", }. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
F0716 14:09:49.214070 1 instance.go:292] Error creating leases: error creating storage factory: context deadline exceeded
deadline exceeded 발생.
....? 어렵...다..
'IT 기술 > k8s' 카테고리의 다른 글
| [cka] KubeConfig (0) | 2024.07.19 |
|---|---|
| [cka] Certificates API (0) | 2024.07.19 |
| [cka] Backup and Restore Methods 2 (1) | 2024.07.12 |
| [cka] Backup and Restore Methods (0) | 2024.07.12 |
| [cka] Cluster Upgrade Process (0) | 2024.07.11 |
댓글