Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kube-etcd-healthcheck-client certificate subject mismatch with the docs #2915

Closed
nnlkcncff opened this issue Aug 8, 2023 · 1 comment · Fixed by kubernetes/kubernetes#119859
Closed

kube-etcd-healthcheck-client certificate subject mismatch with the docs #2915

nnlkcncff opened this issue Aug 8, 2023 · 1 comment · Fixed by kubernetes/kubernetes#119859
Assignees
@SataQiu
Labels
area/pki PKI and certificate related issues kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence.
Milestone
v1.29

Comments

@nnlkcncff
Copy link

Versions

kubeadm version --output short
v1.27.3

kubectl version --short
Client Version: v1.27.3

# cloud provider: n/a

cat /etc/os-release
PRETTY_NAME="Ubuntu 23.04"

uname -a
Linux master-1 6.2.0-20-generic #20-Ubuntu SMP PREEMPT_DYNAMIC Thu Apr  6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

containerd --version
containerd github.com/containerd/containerd v1.7.2 0cae528dd6cb557f7201036e9f43420650207b58

# CNI: calico

What happened?

After cluster provisioning I noticed that the kube-etcd-healthcheck-client certificate was not created as specified in the documentation.

cfssl certinfo -cert /etc/kubernetes/pki/etcd/healthcheck-client.crt
{
  "subject": {
    "common_name": "kube-etcd-healthcheck-client",
    "organization": "system:masters",
    "names": [
      "system:masters",
      "kube-etcd-healthcheck-client"
    ]
  },
  "issuer": {
    "common_name": "etcd-ca",
    "names": [
      "etcd-ca"
    ]
  },
  "serial_number": "9022477560793950297",
  "not_before": "2023-07-31T09:28:19Z",
  "not_after": "2024-07-30T09:28:19Z",
  "sigalg": "SHA256WithRSA",
  "authority_key_id": "C5:B1:A1:3E:36:CF:84:B9:A5:8B:A6:36:0B:F8:39:C1:8C:DC:09:F5",
  "subject_key_id": "",
  "pem": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----\n"
}

What you expected to happen?

According to the docs, it should not contain "organization": "system:masters" and "names": "system:masters".

How to reproduce it (as minimally and precisely as possible)?

Provision a cluster with:

kubeadm init --control-plane-endpoint... \
	--pod-network-cidr... \
	--upload-certs
@SataQiu
Copy link
Member

SataQiu commented Aug 9, 2023

/assign
thanks for your feedback @nnlkcncff
I'll check it soon.

@SataQiu SataQiu mentioned this issue Aug 9, 2023
Merged
@neolit123 neolit123 added this to the v1.29 milestone Aug 14, 2023
@neolit123 neolit123 added kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence. area/pki PKI and certificate related issues labels Aug 14, 2023
@nnlkcncff nnlkcncff mentioned this issue Aug 25, 2023
Closed
@SataQiu SataQiu mentioned this issue Nov 10, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@SataQiu SataQiu

Labels
area/pki PKI and certificate related issues kind/bug Categorizes issue or PR as related to a bug. priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
None yet
Milestone
v1.29
3 participants
@neolit123 @SataQiu @nnlkcncff