Search code examples
kuberneteskubectlkops

Service account x509: certificate signed by unknown authority

I am having issues with service accounts. I created a service account and then created .key and .crt using this guide:

https://docs.bitnami.com/kubernetes/how-to/configure-rbac-in-your-kubernetes-cluster/

I used cluster_ca.key and cluster_ca.crt from KOPS_STATE_STORE bucket (since I used kops to create the cluster) to create user ca.crt and ca.key. Then I got token from secret.

I set the context like this:

kubectl config set-cluster ${K8S_CLUSTER_NAME} --server="${K8S_URL}" --embed-certs=true --certificate-authority=./ca.crt
kubectl config set-credentials gitlab-telematics-${CI_COMMIT_REF_NAME} --token="${K8S_TOKEN}"
kubectl config set-context telematics-dev-context --cluster=${K8S_CLUSTER_NAME} --user=gitlab-telematics-${CI_COMMIT_REF_NAME}
kubectl config use-context telematics-dev-context

When I do the deployment using that service account token I get the following error:

error: unable to recognize "deployment.yml": Get https://<CLUSTER_ADDRESS>/api?timeout=32s: x509: certificate signed by unknown authority

The Service Account, Role and RoleBinding YAML:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitlab-telematics-dev
  namespace: telematics-dev

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: telematics-dev-full-access
  namespace: telematics-dev
rules:
  - apiGroups: ["", "extensions", "apps"]
    resources: ["deployments", "replicasets", "pods", "services"]
    verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: telematics-dev-view
  namespace: telematics-dev
subjects:
  - kind: ServiceAccount
    name: gitlab-telematics-dev
    namespace: telematics-dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: telematics-dev-full-access

The generated kubeconfig looks fine to me:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <REDACTED>
    server: https://<CLUSTER_ADDRESS>
  name: <CLUSTER_NAME>
contexts:
- context:
    cluster: <CLUSTER_NAME>
    user: gitlab-telematics-dev
  name: telematics-dev-context
current-context: telematics-dev-context
kind: Config
preferences: {}
users:
- name: gitlab-telematics-dev
  user:
    token: <REDACTED>
Solution

  • I managed to solve this. Sorry for the late answer. Posting this in case someone else is facing the same issue.

    The following line is not needed:

    kubectl config set-cluster ${K8S_CLUSTER_NAME} --server="${K8S_URL}" --embed-certs=true --certificate-authority=./ca.crt

    As we are issuing tokens, only the token can be used.