Google cloud platform support

Question

Google cloud platform support

renghen-p opened this issue 4 years ago · 11 comments

Hi
How can I make it work with my k8s on google cloud, or any other cloud

Answer 1 · 2020-07-21T14:44:26.000Z

Hi,

It depends how it was configured.
Choose one of the nodes you want to check the kubelet inside them.
The default kubelet configuration is /var/lib/kubelet/config.yaml, open it and check two things:

authentication: anonymous: enabled: ?
Is it set to true, false or neither?
authorization: mode: ?
Is it set to AlwaysAllow, Webhook or other?

I assume that GKE uses the secured option which is authentication: anonymous: enabled: true and authorization: mode: Webhook, in this case you need to use user with permissions.

You can do it with the kubeconfig file which usually have the admin user like that:

kubeletctl -k ~/.kube/config -s <target_node_ip>

Another option is to user that have permissions and its certificates:

kubeletctl pods -s <node_ip> --cacert /etc/kubernetes/pki/ca.crt --cert <user_cert> --key <user_key>

Currently we are not support token authentication and authorization.

Let me know if it help you

Answer 2 · 2020-07-21T17:38:38.000Z

I got a tls: failed to find any PEM data in certificate input

kinda lost here :(

Answer 3 · 2020-07-21T20:47:01.000Z

Does it work if you use the kube config file?

Answer 4 · 2020-07-22T10:20:36.000Z

no it does not, but kubectl works fine

I am kinda lost here

Answer 5 · 2020-07-22T10:31:29.000Z

What are the settings of the /var/lib/kubelet/config.yaml ?
Specifically the settings under authentication: anonymous: enabled: and authorization: mode:.

Can you show me the command your run + the output?

Answer 6 · 2020-07-23T09:01:22.000Z

hi

I do not have a /var/lib/kubelet/config.yaml

and the command is kubeletctl configz -k ~/.kube/config
the output is
2020/07/23 13:00:43 tls: failed to find any PEM data in certificate input

Answer 7 · 2020-07-25T07:49:29.000Z

Can you verify your CA bundle (section of the certificates) in the config YAML is the base64-encoded version of the PEM-bundle (so that base-64-decoding what is in the YAML/JSON displays PEM content)?

Example, the certificate-authority-data, client-certificate-data and client-key-data should be in base64:

When you base64-decode the CA bundle content, do you get PEM content like this:

-----BEGIN CERTIFICATE-----
MIID...

Answer 8 · 2020-09-03T07:27:02.000Z

@renghen Any update?

Answer 9 · 2020-09-03T16:42:21.000Z

I do not have the users part for certificate. That is I do not have client-certificate-data

Answer 10 · 2022-09-12T06:20:06.000Z

@renghen can you share the structure of your config file?
Sorry for the late response, we were able to reproduce it and fix it. We found that the issue is caused by wrong data in the config file.

Answer 11 · 2022-09-18T15:42:41.000Z

We are closing it for now.
If it happens again, please share the structure of your config file, the problem seems to be with a wrong config structure or wrong PEM inside it.