Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Duplicated SANs in k8s-apiserver certificates #2260

Closed
atsikham opened this issue Aug 26, 2020 · 2 comments
Closed

Duplicated SANs in k8s-apiserver certificates #2260

atsikham opened this issue Aug 26, 2020 · 2 comments
Labels
triage/duplicate Indicates an issue is a duplicate of other open issue.

Comments

@atsikham
Copy link

What keywords did you search in kubeadm issues before filing this one?

tls, apiserver, certificate, extrasan, san, certsan, duplicate

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Versions

kubeadm version (use kubeadm version):

kubeadm version: &version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.6", GitCommit:"dff82dc0de47299ab66c83c626e08b245ab19037", GitTreeState:"clean", BuildDate:"2020-07-15T16:56:34Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}

Environment:

  • Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.6", GitCommit:"dff82dc0de47299ab66c83c626e08b245ab19037", GitTreeState:"clean", BuildDate:"2020-07-15T16:58:53Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"18", GitVersion:"v1.18.6", GitCommit:"dff82dc0de47299ab66c83c626e08b245ab19037", GitTreeState:"clean", BuildDate:"2020-07-15T16:51:04Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}
  • Cloud provider or hardware configuration:
    Azure, but reproduced in any environment
  • OS (e.g. from /etc/os-release):
    Ubuntu 18.04.4 LTS, reproduced with other OS
  • Kernel (e.g. uname -a):
    Linux 5.3.0-1028-azure #29~18.04.1-Ubuntu SMP Fri Jun 5 14:32:34 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

What happened?

When you add extra SANs for k8s apiserver in kubeadm config, if some value is in the list of SANs that kubeadm adds by default, this value will be duplicated then. It can be handled on the other side, but in this case kubeadm config is out of sync on all control plane nodes with kubeadm configmap. Important note that it does not brake anything.

What you expected to happen?

Kubeadm filters duplicated entries.

How to reproduce it (as minimally and precisely as possible)?

Add all control plane nodes addresses to apiServer.certSANs and deploy HA k8s cluster.
@atsikham atsikham mentioned this issue Aug 26, 2020
Closed
10 tasks
@neolit123
Copy link
Member

fixed here kubernetes/kubernetes#92753 for 1.19
but cannot be backported to 1.18 and older since in k8s we only backport critical fixes.

/close

@k8s-ci-robot
Copy link
Contributor

@neolit123: Closing this issue.

In response to this:

fixed here kubernetes/kubernetes#92753 for 1.19
but cannot be backported to 1.18 and older since in k8s we only backport critical fixes.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@neolit123 neolit123 added the triage/duplicate Indicates an issue is a duplicate of other open issue. label Aug 26, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage/duplicate Indicates an issue is a duplicate of other open issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neolit123 @atsikham @k8s-ci-robot