Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to bypass certificate check when connect to Kubernetes #233

Open
hunglv8863 opened this issue Feb 21, 2024 · 1 comment
Open

How to bypass certificate check when connect to Kubernetes #233

hunglv8863 opened this issue Feb 21, 2024 · 1 comment

Comments

@hunglv8863
Copy link

hunglv8863 commented Feb 21, 2024

Hi all,
Im having a Kubernetes cluster which connects to external Vault v1.15.5 (vault is running directly in Ubuntu host).
My Kubernetes is running in rancher, and the certificate is currently for the Internal IP.
When trying to login using serviceaccount token, Vault shows this error in log:

auth.kubernetes.auth_kubernetes_e9501638: login unauthorized: err="Post \"https://10.0.41.150:6443/apis/authentication.k8s.io/v1/tokenreviews\": tls: failed to verify certificate: x509: certificate is valid for 10.0.30.221, 127.0.0.1, 10.43.0.1, not 10.0.41.150"

It seems that Vault got error when connecting to Kubernetes, and the Kubernetes's certificate is not valid.

Is there any parameter that can disable kubernetes's cert check ? I dont find any in documentation.
Even I added all certs in chain to kubernetes_ca_cert parameter, it still show the same error.

Thank you.

@benashz
Copy link
Contributor

benashz commented Feb 21, 2024

@hunglv8863 Ideally the configured CA chain should suffice in this case. I don't think we would ever add a feature to skip the TLS verification, since that would make the authentication request susceptible to a man-in-the-middle type of attack.

It does look like the issue is due to the K8s cluster TLS certificate not including the specific the IP/host in its Subject Alternative Name (SAN). Any way could configure your https://developer.hashicorp.com/vault/api-docs/auth/kubernetes#kubernetes_host to use one of those IPs to access your K8s cluster?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants