Replies: 4 comments
-
|
No, you cannot disable TLS certificate validation between cluster components. Why would you need to use kubelet serving certs that aren't issued by the k3s root CA? There is no way to get the virtual kubelets to use the cluster CA? Also note that k3s expects all nodes to be k3s nodes, things may act weird if you have virtual kubelets or kubelets from other Kubernetes distributions. |
Beta Was this translation helpful? Give feedback.
-
|
I list /var/lib/rancher/k3s/server/tls, and found
|
Beta Was this translation helpful? Give feedback.
-
I list /var/lib/rancher/k3s/server/tls, and found server-ca.crt: root crt |
Beta Was this translation helpful? Give feedback.
-
|
It's actually easier than that: curl -vkS -H 'k3s-Node-Name: k3s-agent-1' -H 'k3s-Node-Password: password' 'https://node:TOKEN@SERVER:6443/v1-k3s/serving-kubelet.crt'
curl -vkS -H 'k3s-Node-Name: k3s-agent-1' -H 'k3s-Node-Password: password' 'https://node:TOKEN@SERVER:6443/v1-k3s/client-kubelet.crt'This will generate you a cert chain + private key that can be used by the kubelet. Replace |
Beta Was this translation helpful? Give feedback.
-
I want to add some cloud vendors' virtual nodes to my k3s cluster, but these virtual nodes do not have k3s' root certificates, so they cannot obtain the trust of the apiserver. I need to turn off the k3s apiserver's verification of the kubelet certificate. Is there any way to do this? In other words, is there any way I can set --kubelet-certificate-authority to empty?
Beta Was this translation helpful? Give feedback.
All reactions