This article explores inspecting certificate details within a Kubernetes control plane and troubleshooting common TLS issues.
In this article, we explore the lab solution for inspecting certificate details within a Kubernetes control plane. You will learn how to review manifest file snippets, identify certificate and key files used by the Kube API Server for secure communications (with both ETCD and the Kubelet), and troubleshoot common TLS issues.
The Kube API Server manifest—typically located at /etc/kubernetes/manifests/kube-apiserver.yaml—specifies various TLS parameters. The following excerpt demonstrates the configuration and certificate file usage:
The API server’s serving credentials are provided by files such as /etc/kubernetes/pki/apiserver.crt and /etc/kubernetes/pki/apiserver.key (demonstrated in later snippets).
A dedicated certificate and key pair is used for secure communication with the ETCD server (specified with the --etcd-certfile and --etcd-keyfile flags).
A separate certificate is set for authenticating the Kubelet using the flags --kubelet-client-certificate and --kubelet-client-key.
Notice the use of --tls-cert-file and --tls-private-key-file flags, which designate the locations of the certificate file /etc/kubernetes/pki/apiserver.crt and its matching private key /etc/kubernetes/pki/apiserver.key used for HTTPS communications with clients.
Understanding ETCD server configuration is critical for troubleshooting certificate-related issues in the control plane. The ETCD pod mounts the PKI directory and specifies its certificate files as demonstrated below:
When you run the OpenSSL command on /etc/kubernetes/pki/apiserver.crt, you may see that the certificate is valid from April 17, 2022, to April 17, 2023—a one-year duration.
Inspecting the root CA certificate (e.g., /etc/kubernetes/pki/ca.crt) reveals a validity period of approximately 10 years (from April 17, 2022, to April 14, 2032).
6. Troubleshooting kubectl Connection and ETCD Certificate Issues
After updating control plane configurations, you might encounter errors such as:
Copy
Ask AI
root@controlplane:~# kubectl get podsThe connection to the server controlplane:6443 was refused - did you specify the right host or port?
This error suggests that the kube-apiserver cannot be reached. One troubleshooting approach is to inspect the API server container using Docker:
Copy
Ask AI
root@controlplane:~# docker ps -a | grep kube-apiserver
Often, you may spot errors in the API server logs, for example:
Copy
Ask AI
error while dialing TCP 127.0.0.1:2379
Since port 2379 is associated with ETCD, checking the ETCD server logs might reveal an error like:
Copy
Ask AI
open /etc/kubernetes/pki/etcd/server-certificate.crt: no such file or directory
This indicates that the ETCD server is looking for a certificate in an incorrect location (e.g., server-certificate.crt instead of server.crt). To resolve such issues:
Ensure the certificate file exists on the host at /etc/kubernetes/pki/etcd/ (typically as server.crt and server.key).
Update the ETCD manifest file to use the correct certificate file path.
Save the changes and allow time for the container to restart.
If you encounter TLS handshake errors (e.g., “certificate signed by unknown authority”) in the API server logs, verify that the ETCD connection references the correct CA file. The ETCD trusted CA should be /etc/kubernetes/pki/etcd/ca.crt, and the client certificate parameters (--etcd-certfile and --etcd-keyfile) should be consistent with ETCD requirements.
This article underscores the importance of verifying certificate and key configurations in your Kubernetes manifests. By ensuring proper file paths and matching certificate data across the API server, ETCD, and Kubelet, you can maintain a secure and reliable control plane environment.
