Ping a Specific Port

Question

srinu259

Asked: 2020-04-26 04:33:21 +0800 CST2020-04-26 04:33:21 +0800 CST 2020-04-26 04:33:21 +0800 CST

Why do kubernetes kube-api server need etcd-keyfile and kubelet-client-key

772

As I understand kube-api server acts as a client when communicating with ETCD and Kubelet. Both ETCD and Kubelet act as servers for kube-api. With secure environment (two way SSL authentication), kube-api server needs the ETCD and Kubelet certificates and the CA certificate. What I don't understand is why do we need to provide the private keys of ETCD (etcd-keyfile) and Kubelet (kubelet-client-key) while configuring kube-apiserver.yaml ?

1 Answers

Voted

mdaniel · Answer 1 · 2020-04-26T16:59:28+08:00

Best Answer

mdaniel

2020-04-26T16:59:28+08:002020-04-26T16:59:28+08:00

Because etcd uses X.509 mutual TLS authentication in kubernetes, so the apiserver needs to be able to prove it has ownership over the client certificate that is presented to the server, and that happens via private key

There are other authentication options for etcd, but kubernetes doesn't use them, and it's unclear if the apiserver even offers a non-TLS authentication option for connecting to etcd, even if you wanted to

6

Why do kubernetes kube-api server need etcd-keyfile and kubelet-client-key

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?