Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot connect to API server over ipv6 #3437

Closed
sjoerdsimons opened this issue Jun 11, 2021 · 4 comments
Closed

Cannot connect to API server over ipv6 #3437

sjoerdsimons opened this issue Jun 11, 2021 · 4 comments
Labels
status/stale

Comments

@sjoerdsimons
Copy link
Contributor

Environmental Info:
K3s Version:
k3s version v1.21.1+k3s1 (75dba57)
go version go1.16.4

Node(s) CPU architecture, OS, and Version:
Linux node 4.19.0-16-cloud-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux

Cluster Configuration:
Single node

Describe the bug:
Cannot connect to the API server over ipv6 due to ipv6 addresses missing in the dns altnames

Steps To Reproduce:
Install k3s on a node dual stacked node; Try to connect over ipv6 to it with kubectl gives:
Unable to connect to the server: x509: certificate is valid for 10.x.x.x, 127.0.0.1, 172.x.x.x, not 2a05:d018:f83:9b00:xxxx:xxxx:xxxx:xxxx
`
Expected behavior:
successful connection

Actual behavior:
failed connection

Additional context / logs:
This seems to be due to dynamic listener not regarding ipv6 address as valid CN see
rancher/dynamiclistener#37
@brandond
Copy link
Member

brandond commented Jun 11, 2021
edited
Loading

That is correct. Note that the upstream apiserver itself does not support dual-stack operation yet, so even after fixing dynamiclistener to support IPv6 addresses, I still don't think you'll get what you want: kubernetes/enhancements#2438

@sjoerdsimons
Copy link
Contributor Author

Actually; After fixing dynamic listener i could connect to the api server externally with kubectl just fine and apply configuration etc. So it does seem to work at least at a basic level.

k3s already listens externally on the ipv6 wildcard on port 6443. Internally in the cluster i'm sure it's a whole different story, which i think is what the ticket you pointed to mostly focusses on?

@brandond
Copy link
Member

If you're only worried about external connections then yes, updating dynamiclistener should cover your use case.

@stale
Copy link

stale bot commented Dec 11, 2021

This repository uses a bot to automatically label issues which have not had any activity (commit/comment/label) for 180 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the bot can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the bot will automatically close the issue in 14 days. Thank you for your contributions.

@stale stale bot added the status/stale label Dec 11, 2021
@stale stale bot closed this as completed Dec 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status/stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brandond @sjoerdsimons