Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CoreDNS does not trust/is not using k8s API certs #8866

Closed
darkdatter opened this issue Jul 28, 2020 · 3 comments
Closed

CoreDNS does not trust/is not using k8s API certs #8866

darkdatter opened this issue Jul 28, 2020 · 3 comments
Labels
area/cni CNI support kind/support Categorizes issue or PR as a support question. priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done.

Comments

@darkdatter
Copy link

darkdatter commented Jul 28, 2020
edited
Loading

Steps to reproduce the issue:

  1. Start a CentOS 7.8 instance on AWS
  2. Install Docker, CRI-O, kubectl, kubeadm,minikube
  3. minikube start --vm-driver=none --network-plugin=cni

CoreDNS logs:
E0728 18:10:30.158244 1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.2/tools/cache/reflector.go:105: Failed to list *v1.Endpoints: Get https://10.96.0.1:443/api/v1/endpoints?limit=500&resourceVersion=0: dial tcp 10.96.0.1:443: i/o timeout I0728 18:10:30.159403 1 trace.go:116] Trace[1168565194]: "Reflector ListAndWatch" name:pkg/mod/k8s.io/client-go@v0.17.2/tools/cache/reflector.go:105 (started: 2020-07-28 18:10:00.159129253 +0000 UTC m=+408.715178072) (total time: 30.000258015s): Trace[1168565194]: [30.000258015s] [30.000258015s] END E0728 18:10:30.159412 1 reflector.go:153] pkg/mod/k8s.io/client-go@v0.17.2/tools/cache/reflector.go:105: Failed to list *v1.Namespace: Get https://10.96.0.1:443/api/v1/namespaces?limit=500&resourceVersion=0: dial tcp 10.96.0.1:443: i/o timeout [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes"

kube-api logs:
{"log":"I0728 18:14:21.306300 1 log.go:172] http: TLS handshake error from x.x.x.x:33834: remote error: tls: unknown certificate authority\n","stream":"stderr","time":"2020-07-28T18:14:21.306477746Z"} {"log":"I0728 18:14:33.237964 1 log.go:172] http: TLS handshake error from x.x.x.x:33878: remote error: tls: unknown certificate authority\n","stream":"stderr","time":"2020-07-28T18:14:33.238144702Z"}

FYI: I am using the latest Cilium version for my CNI plugin.

Versions:

  • latest minikube: v1.12.1
  • CentOS 7.8
  • kubectl v1.18.6
@sharifelgamal
Copy link
Collaborator

We changed how some of our CNI handling works in minikube 1.12, you can now just specify --cni=cilium in your minikube start command. I'd be curious to see if that helps anything.

@sharifelgamal sharifelgamal added area/cni CNI support priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. kind/support Categorizes issue or PR as a support question. labels Aug 12, 2020
@RA489
Copy link

RA489 commented Sep 30, 2020

@darkdatter Any luck with above suggestions?

@priyawadhwa
Copy link

Hey @darkdatter I'm going to go ahead and close this issue as it's been quiet for a couple months. Please reopen at any time if you're still facing this issue -- I'd suggest trying the following:

  1. Upgrading to our latest version of minikube (currently 1.15.1)
  2. Trying our new CNI handling via minikube start --cni=cilium

Thank you for opening this issue!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/cni CNI support kind/support Categorizes issue or PR as a support question. priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@priyawadhwa @darkdatter @sharifelgamal @RA489