mkokho
kubemrr watch: x509: certificate signed by unknown authority
When running kubemerr wath test
or
kubemerr watch https://kube-test.myserver.net
I get:
Error: failed to ping server: Get https://kube-test.myserver.net/: x509: certificate signed by unknown authority
I am using insecure-skip-tls-verify: true in the kubeconfig file.
Steps taken:
$ kubemrr watch test
{"level":"info","msg":"created client","server":"https://kube-test.myserver.net","time":"2017-03-09T16:19:53.229"}
Error: failed to ping server: Get https://kube-test.myserver.net/: x509: certificate signed by unknown authority
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority: certs/ca.pem
server: https://kube-test.myserver.net`
insecure-skip-tls-verify: true
name: kubernetes-test
contexts:
- context:
cluster: kubernetes-test
namespace: default
user: k8s-test-admin-user
name: test_eu-west-1
current-context: prod_eu-west-1
kind: Config
preferences: {}
users:
- name: k8s-test-admin-user
user:
client-certificate: certs/admin.pem
client-key: certs/admin-key.pem
$ kubemrr watch https://kube-test.myserver.net
{"level":"info","msg":"created client","server":"https://kube-test.myserver.net","time":"2017-03-09T16:16:01.533"}
Error: failed to ping server: Get https://kube-test.myserver.net/: x509: certificate signed by unknown authority
Versions:
$ kubemrr
kubemrr-1.3.0
$ uname -a
Darwin apollo 16.4.0 Darwin Kernel Version 16.4.0: Thu Dec 22 22:53:21 PST 2016; root:xnu-3789.41.3~3/RELEASE_X86_64 x86_64
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"08e099554f3c31f6e6f07b448ab3ed78d0520507", GitTreeState:"clean", BuildDate:"2017-01-12T04:57:25Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2+coreos.1", GitCommit:"3ed7d0f453a5517245d32a9c57c39b946e578821", GitTreeState:"clean", BuildDate:"2017-01-18T01:43:45Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}
@kenden Could this be related to https://github.com/mkokho/kubemrr/issues/6?
@marianogappa That looks similar. My cluster is not on Azure, but I don't think it matters.
I have kinda the same error, the cluster is on Amazon EKS. Is it possible to get this working on EKS?
Amazon EKS uses aws-iam-authenticator for auth in the cluster.
I am really interested in getting kubemrr working. This could really speedup my daily work
Does kubemrr get its data via kubectl or is it API called to the server ? @mkokho
Does kubemrr get its data via kubectl or is it API called to the server ? @mkokho
API: https://github.com/mkokho/kubemrr/blob/master/app/kube_client.go#L76
I get the same error on macOS for a clusters on Amazon EKS and GKE. It seems, the tool doesn't correctly recognise the API server CA certificate that is embedded in the kubeconfig file.
If in the kubeconfig file, I replace the certificate-authority-data: <DATA> field with insecure-skip-tls-verify: true, then the error is gone and the connection succeeds.
But then, there is an authorisation error:
Error: failed to ping server: unexpected status for GET https://34.73.33.83/: 403 Forbidden {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/\"","reason":"Forbidden","details":{},"code":403}
It seems the tool is using the system:anonymous user, and if your cluster uses RBAC, this user doesn't have permission to access most resources.
If I temporarily give full permissions to the system:anonymous user, the kubemrr watch command works, but completion for the individual resources (pods, services, etc.) doesn't work. It just displays the files in the current directory.
