Windows node invalid certificate (Certificate does not include any IP SANs)

[peer-qvannatter]

microk8s/microk8s-resources/default-args/kube-apiserver

Line 30 in 66176f2

--kubelet-certificate-authority=${SNAP_DATA}/certs/ca.crt

By default, with the installation of a Windows node a self-signed kubelet.crt is created.

Currently, there's two issues with the certificate that's created.

1. It does not include any IP SANs
2. Because it's self-signed, the certificate authority is not trusted.

This breaks functionality related to "kubectl exec" and "kubectl logs" when accessing resources on a Windows node.

The introduction of "--kubelet-certificate-authority=${SNAP_DATA}/certs/ca.crt" flag by default enables the validation of the certificates which causes all of these new issues.

As a workaround, either the certificate on the windows node needs to be created manually and signed by the control plane certificate or
the line "--kubelet-certificate-authority=${SNAP_DATA}/certs/ca.crt" can be removed from "/var/snap/microk8s/current/args/kube-apiserver"

[neoaggelos]

Hi @peer-qvannatter. Indeed, in MicroK8s 1.28 we applied more hardened defaults, one of which was --kubelet-certificate-authority (see https://microk8s.io/docs/how-to-cis-harden#check-125-29)

It would be useful if the Windows worker nodes was updated to include instructions for generating that certificate for worker nodes, such that kubelet proxy calls are trusted.