Correct configuration for "the hard way" / manual configuration? Error: failed to verify certificate [...] doesn't contain any IP SANs

[erikschul]

Given that numerous people seem to fail to configure metrics-server without disabling TLS verification, I was hoping that you would help documenting how to configure it correctly when configuring Kubernetes manually (without kubeadm).

Error:

"Failed to scrape node" err="Get "https://[1.2.3.4]:10250/metrics/resource": tls: failed to verify certificate: x509: cannot validate certificate for [1.2.3.4] because it doesn't contain any IP SANs

I've tried creating a cluster-ca signed ca.crt/tls.key/tls.crt for metrics-server:

--kubelet-client-certificate=/certs/tls.crt
--kubelet-client-key=/certs/tls.key
--kubelet-certificate-authority=/certs/ca.crt

Node certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ...
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = X, ST = X, L = X, O = " CA", OU = X, CN = CA
        Validity
            Not Before: Oct 10 17:04:00 2024 GMT
            Not After : Oct  8 17:04:00 2034 GMT
        Subject: C = X, ST = X, L = X, O = system:nodes, OU = X, CN = system:node:node0
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    ...
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                ...
            X509v3 Authority Key Identifier: 
                ...
            X509v3 Subject Alternative Name: 
                DNS:node0, IP Address:[1.2.3.4]
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
      ...

KubeletConfiguration:

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
  anonymous:
    enabled: false
  webhook:
    cacheTTL: 0s
    enabled: true
  x509:
    clientCAFile: /etc/kubernetes/pki/ca.pem
authorization:
  mode: Webhook
  webhook:
    cacheAuthorizedTTL: 0s
    cacheUnauthorizedTTL: 0s
cgroupDriver: systemd
clusterDNS:
  - 10.96.0.10
clusterDomain: "{{cluster_domain}}"
containerRuntimeEndpoint: "unix:///var/run/containerd/containerd.sock"
cpuManagerReconcilePeriod: 0s
evictionPressureTransitionPeriod: 0s
fileCheckFrequency: 0s
healthzBindAddress: 127.0.0.1
healthzPort: 10248
httpCheckFrequency: 0s
imageMinimumGCAge: 0s
logging:
  flushFrequency: 0
  options:
    json:
      infoBufferSize: "0"
  verbosity: 1
  format: json
memorySwap: {}
nodeStatusReportFrequency: 0s
nodeStatusUpdateFrequency: 0s
rotateCertificates: true
runtimeRequestTimeout: 0s
shutdownGracePeriod: 0s
shutdownGracePeriodCriticalPods: 0s
staticPodPath: /etc/kubernetes/manifests
streamingConnectionIdleTimeout: 0s
syncFrequency: 0s
volumeStatsAggPeriod: 0s
serializeImagePulls: false
maxParallelImagePulls: 3

/etc/kubernetes/kubelet.conf

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ...
    server: https://127.0.0.1:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: system:node:node0
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: system:node:node0
  user:
    client-certificate-data: ...
    client-key-data: ...

[k8s-ci-robot]

This issue is currently awaiting triage.

If metrics-server contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[erikschul]

/remove-lifecycle stale

[pyvkd]

I was facing something similar with kubenetes deployed with kubeadm.

│ E0415 00:25:39.956668       1 scraper.go:149] "Failed to scrape node" err="Get \"https://ip[removed]:10250/metrics │
│ /resource\": tls: failed to verify certificate: x509: cannot validate certificate for ip[removed] because it doesn │
│ 't contain any IP SANs" node="hostname[removed]"

I am still using --kubelet-insecure-tls setting since I just have default ones that kubeadm helps generate.

What helped in my case was deploying helm chart with following modification.

defaultArgs:
  - --kubelet-preferred-address-types=Hostname
  - --cert-dir=/tmp
  - --kubelet-use-node-status-port
  - --metric-resolution=15s
  - --kubelet-insecure-tls

[erikschul]

Using --kubelet-insecure-tls is not a correct configuration. It allows MITM attacks.

[pyvkd]

Yes you are right but this is a lab server that I created so I was initially happy with it. Anyhow I also figured out how to get rid of kubelet-insecure-tls after I saw this comment on a closed issue.. Which pointed me to ocumentation here - https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#kubelet-serving-certs to generating properly signed serving certificates for my cluster. And after following the steps metrics-server is happy. And my updated helm chart values file is following.

defaultArgs:
  - --kubelet-preferred-address-types=Hostname
  - --cert-dir=/tmp
  - --kubelet-use-node-status-port
  - --metric-resolution=15s

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten