You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to set up a NRI based on the quick-start, and I get a TLS error when I try to create a Pod:
Error from server (InternalError): error when creating "/tmp/testpod.yaml": Internal error occurred: failed calling webhook "network-resources-injector-mutating-config.k8s.cni.cncf.io": failed to call webhook: Post "https://network-resources-injector-service.kube-system.svc:443/mutate?timeout=10s": remote error: tls: bad certificate
In the NRI logs, a corresponding message saying the client didn't provide a cert:
2023/06/23 01:33:07 http: TLS handshake error from 10.244.0.1:38392: tls: client didn't provide a certificate
If I run with --insecure, it works.
I see that the NRI server loads the service account client cert on startup, and without --insecure, expects it to be sent by the apiserver with each request. But from my understanding of the relevant Kubernetes docs, getting the apiserver to send a client cert involves starting the API server with --admission-control-config-file, populating a kubeConfig file somewhere, none of which is mentioned in the NRI readme. So I feel like I'm missing something. Is it possible to use NRI with client cert auth, without touching config files on the node?
Sidebar question - does NRI have side-effects? If not --insecure seems OK in that I'm not too worried who the client is if all the controller does is return a patch response.
Many thanks for this handy tool!
The text was updated successfully, but these errors were encountered:
Hello,
I'm trying to set up a NRI based on the quick-start, and I get a TLS error when I try to create a Pod:
Error from server (InternalError): error when creating "/tmp/testpod.yaml": Internal error occurred: failed calling webhook "network-resources-injector-mutating-config.k8s.cni.cncf.io": failed to call webhook: Post "https://network-resources-injector-service.kube-system.svc:443/mutate?timeout=10s": remote error: tls: bad certificateIn the NRI logs, a corresponding message saying the client didn't provide a cert:
2023/06/23 01:33:07 http: TLS handshake error from 10.244.0.1:38392: tls: client didn't provide a certificateIf I run with
--insecure, it works.I see that the NRI server loads the service account client cert on startup, and without
--insecure, expects it to be sent by the apiserver with each request. But from my understanding of the relevant Kubernetes docs, getting the apiserver to send a client cert involves starting the API server with--admission-control-config-file, populating a kubeConfig file somewhere, none of which is mentioned in the NRI readme. So I feel like I'm missing something. Is it possible to use NRI with client cert auth, without touching config files on the node?Sidebar question - does NRI have side-effects? If not
--insecureseems OK in that I'm not too worried who the client is if all the controller does is return a patch response.Many thanks for this handy tool!
The text was updated successfully, but these errors were encountered: