kubeadm icon indicating copy to clipboard operation
kubeadm copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

`validateKubeConfig` ignores `CertificateAuthority` and only looks at `CertificateAuthorityData`

Open rohitagarwal003 opened this issue 2 years ago • 2 comments

What keywords did you search in kubeadm issues before filing this one?

"got the wrong CA cert"

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Versions

kubeadm version (use kubeadm version): v1.23.6

Environment:

  • Kubernetes version (use kubectl version): v1.23.6
  • Cloud provider or hardware configuration: AWS EC2 c6i
  • OS (e.g. from /etc/os-release): Amazon Linux 2
  • Others: Using an external CA (i.e. no ca.key in /etc/kubernetes/pki)

What happened?

Got the following error while running kubeadm init phase kubelet-start --config=/path/to/kubeadm.conf

the controller-manager.conf file does not exists or it is not valid: a kubeconfig file "/etc/kubernetes/controller-manager.conf" exists already but has got the wrong CA cert

What you expected to happen?

Didn't expect this error to happen, because our controller-manager kubeconfig has:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/pki/ca.crt
    server: https://xyz.example.com:6443
  name: xyz
contexts:
- context:
    cluster: xyz
    user: controller-manager
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: controller-manager
  user:
    client-certificate: /etc/kubernetes/pki/controller-manager.crt
    client-key: /etc/kubernetes/pki/controller-manager.key

The root CA is the exact same file.

How to reproduce it (as minimally and precisely as possible)?

  1. Use an external CA (i.e. no ca.key in /etc/kubernetes/pki.
  2. Use a controller-manager conf that uses certificate-authority instead of certificate-authority-data.
  3. Run kubeadm init phase kubelet-start --config=/path/to/kubeadm.conf

Anything else we need to know?

https://github.com/kubernetes/kubernetes/blob/v1.23.6/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go#L240 is looking at just CertificateAuthorityData. It should also read the contents of the file pointed by CertificateAuthority if CertificateAuthorityData is empty.

rohitagarwal003 avatar Aug 03 '22 07:08 rohitagarwal003

looking at just CertificateAuthorityData. It should also read the contents of the file pointed by CertificateAuthority if CertificateAuthorityData is empty.

hi, this was never a supported use case and i believe you are the first user requesting it.

what prevents you from embedding the client cert/key like kubeadm does by default?

i would not mind a change to validate external files, but we are in code freeze for 1.25 and i think this is a feature and not a bug fix, thus not backportable to < .25 too.

neolit123 avatar Aug 03 '22 08:08 neolit123

/assign

SataQiu avatar Aug 10 '22 12:08 SataQiu