kubernetes: kubectl should warn user if they attempt to authenticate to the cluster using an expired certificate

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see http://kubernetes.io/docs/troubleshooting/.):

What keywords did you search in Kubernetes issues before filing this one? (If you have found any duplicates, you should instead reply there.):

Is this a BUG REPORT or FEATURE REQUEST? (choose one): Feature request

Kubernetes version (use kubectl version): v1.5.1

Environment:

  • Cloud provider or hardware configuration: Kubernetes on self-hosted private cloud
  • OS (e.g. from /etc/os-release): CoreOS 1235.6.0
  • Kernel (e.g. uname -a): 4.7.3-coreos-r2
  • Install tools:
  • Others:

What happened: When a user with an expired client certificate attempts to use kubectl to interact with a cluster, they get a very unhelpful error:

%  kubectl get pods
error: You must be logged in to the server (the server has asked for the client to provide credentials)

After a lot of digging, the user may discover that their client certificate has expired and needs to be renewed.

What you expected to happen: I expected to get a more helpful error. The API service returned a 401 Unauthorized, yet this is never shown to the user, except when verbosity is bumped up.

I’d like to see two improvements:

  • Before attempting to connect to the API service, kubectl checks the TLS certificate to see if it the expiration date < current time. If it has indeed expired, print a helpful message to the user.
  • When an API request returns a 401 Unauthorized message, print a more helpful message, perhaps something along the lines of “Server response: client is not authorized to request this resource. Please verify your authentication credentials and/or certificates for validity”.

How to reproduce it (as minimally and precisely as possible):

  1. Generate a client certificate that expired before the current system time.
  2. Attempt to use it with kubectl to interact with the cluster

Anything else do we need to know:

About this issue

  • Original URL
  • State: open
  • Created 7 years ago
  • Reactions: 3
  • Comments: 16 (9 by maintainers)

Most upvoted comments

Agreed @liggitt . This would be a kubectl feature. Almost everyone that uses cert-based auth will run into this issue eventually.

+1
chrissnell on Feb 22, 2017

The certificate expiry check is such a little amount of code and would save users so much headache and time. Why not let them know?

+1
chrissnell on Feb 22, 2017
Read more comments on GitHub
← kubernetes: kubectl should provide better error message when validation failed
kubernetes: kubectl shows Pod status Completed if one of the containers exited with an Error →