kubernetes: `kubectl get cs` problem with secured etcd2

i am trying to setup simple kubernetes cluster, with 3 master, each master running etcd2 instance in HTTPS mode. But when i run kubectl get cs i got:

etcd-2               Unhealthy   Get http://c.master.kubeinternal:2379/health: malformed HTTP response "\x15\x03\x01\x00\x02\x02"   
etcd-1               Unhealthy   Get http://b.master.kubeinternal:2379/health: malformed HTTP response "\x15\x03\x01\x00\x02\x02"   
etcd-0               Unhealthy   Get http://a.master.kubeinternal:2379/health: malformed HTTP response "\x15\x03\x01\x00\x02\x02"

i already have specified

--etcd-cafile=/etc/kubernetes/ssl/cert-ca.pem
--etcd-certfile=/etc/kubernetes/ssl/cert-master.pem
--etcd-keyfile=/etc/kubernetes/ssl/key-master.pem
--etcd-servers=https://a.master.kubeinternal:2379,https://b.master.kubeinternal:2379,https://c.master.kubeinternal:2379

in apiserver command line, but it seem doesn’t work.

btw, this is output from etcdctl cluster-health

member 522d6830c147a014 is healthy: got healthy result from https://c.master.kubeinternal:2379
member 5c228a4de15dee8f is healthy: got healthy result from https://b.master.kubeinternal:2379
member fbb23dfd5f0a4b59 is healthy: got healthy result from https://a.master.kubeinternal:2379

About this issue

Original URL
State: closed
Created 8 years ago
Comments: 17 (5 by maintainers)

Commits related to this issue

Merge pull request #39716 from zhouhaibing089/etcd-health-check Automatic merge from submit-queue etcd component status check should include credentials - [x] Add TLS credentials into `pkg/generica... — committed to kubernetes/kubernetes by deleted user 7 years ago

Most upvoted comments

Fixes is submitted at https://github.com/kubernetes/kubernetes/pull/39716.

+11

zhouhaibing089 on Jan 11, 2017

gonna try to reproduce this in my own environment, and fix it if possible.

zhouhaibing089 on Jan 10, 2017

seems still not fixed, I am using “gcr.io/google_containers/kube-apiserver-amd64:v1.4.6” and still getting bad certificate for etcd health.

[root@kube1 ~]# kubectl get cs NAME STATUS MESSAGE ERROR scheduler Healthy ok
controller-manager Healthy ok
etcd-1 Unhealthy Get https://172.16.7.12:2379/health: remote error: bad certificate
etcd-0 Unhealthy Get https://172.16.7.11:2379/health: remote error: bad certificate
etcd-2 Unhealthy Get https://172.16.7.13:2379/health: remote error: bad certificate

[root@kube1 ~]# etcdctl -cert-file=/etc/kubernetes/pki/etcd.pem --ca-file=/etc/kubernetes/pki/ca.pem --key-file=/etc/kubernetes/pki/etcd-key.pem member list 3a24731bbbb50806: name=kube2 peerURLs=https://172.16.7.12:2380 clientURLs=https://172.16.7.12:2379 isLeader=false 7b8f6804a483e938: name=kube1 peerURLs=https://172.16.7.11:2380 clientURLs=https://172.16.7.11:2379 isLeader=true 812af6000899ab40: name=kube3 peerURLs=https://172.16.7.13:2380 clientURLs=https://172.16.7.13:2379 isLeader=false

[root@kube1 ~]# etcdctl -cert-file=/etc/kubernetes/pki/etcd.pem --ca-file=/etc/kubernetes/pki/ca.pem --key-file=/etc/kubernetes/pki/etcd-key.pem cluster-health member 3a24731bbbb50806 is healthy: got healthy result from https://172.16.7.12:2379 member 7b8f6804a483e938 is healthy: got healthy result from https://172.16.7.11:2379 member 812af6000899ab40 is healthy: got healthy result from https://172.16.7.13:2379 cluster is healthy [root@kube1 ~]#

pawankkamboj on Dec 13, 2016