kubernetes: kubectl doesn't override certificate-authority from cmdline

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

What happened:

  • Created cluster with kops, which generated its own self-signed certificate and put certificate-authority-data in ~/.kube/config.
  • Put master (API) nodes behind HTTPS ELB and added Amazon-hosted certificate for SSL termination.
  • Run any kubectl command that has to hit the API
kubectl create -f - << EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: foobar
EOF
Unable to connect to the server: x509: certificate signed by unknown authority
  • (That’s annoying because the CA that signed the cert is a public CA, and the root cert is in my OS keystore. Potentially another bug?)
  • Download the appropriate key from AWS Trust (In my case, AWS ACM certificate = Starfield Services Root Certificate Authority - G2)
  • Use the certificate to attempt the same request
kubectl --certificate-authority=./SFSRootCAG2.pem create -f - << EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: foobar
EOF
error: certificate-authority-data and certificate-authority are both specified for k8s.EXAMPLE.COM. certificate-authority-data will override.

What you expected to happen: Commandline-specified certificate overrides any other options

How to reproduce it (as minimally and precisely as possible): Put any certificate-authority-data in ~/.kube/config for your host and attempt to override on cmdline.

Anything else we need to know?: validation.go seems to be where the problem comes from, it’s not differentiating “param came from cmdline” from “have param”.

If I remove the certificate-authority-data from ~/.kube/config then it works for both intended cases - either with specifying the CA cert on cmdline or via system certs.

Environment:

  • Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.6", GitCommit:"7fa1c1756d8bc963f1a389f4a6937dc71f08ada2", GitTreeState:"clean", BuildDate:"2017-06-16T20:46:19Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.2", GitCommit:"477efc3cbe6a7effca06bd1452fa356e2201e1ee", GitTreeState:"clean", BuildDate:"2017-04-19T20:22:08Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration**: AWS
  • OS (e.g. from /etc/os-release): OSX
  • Kernel (e.g. uname -a):
Darwin mbp.local 16.6.0 Darwin Kernel Version 16.6.0: Fri Apr 14 16:21:16 PDT 2017; root:xnu-3789.60.24~6/RELEASE_X86_64 x86_64 i386 MacBookPro13,3 Darwin

  • Install tools: kops

  • Others:

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 4
  • Comments: 23 (4 by maintainers)

Most upvoted comments

also with 1.9.3

This is very annoying. It says “certificate-authority-data will override” but it will fail and do nothing, exiting with 0.

It should at least do the override and try to execute

+4
jryberg on May 21, 2018

any chance this can be reopened? still seems to be a problem with 1.20 of kubectl

+2
ghostsquad on Jul 14, 2021

Still a problem.

/remove-lifecycle stale

+2
007 on Apr 30, 2018
Read more comments on GitHub
← kubernetes: kubectl does not retry after TLS handshake timeout
kubernetes: kubectl drain error message confusing when using with operator →