kubectl exec fails "cannot validate certificate because it doesn't contain any IP SANs"
If you used this command to create your certificate:
openssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem \ -CAcreateserial -out server-cert.pem
Then your issue can be resolved by doing the following as the 'client' cert uses an -extfile extfile.cnf:
echo subjectAltName = IP:worker_node_ip > extfile.cnfopenssl x509 -req -days 365 -in server.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial \ -out server-cert.pem -extfile extfile.cnf
You can specify any number of IP addresses, such as IP:127.0.0.1,IP:127.0.1.1 (non localhost as well).
If you're using Kubernetes with a Google Container Cluster, this may fix the issue as it did for me:
gcloud container clusters get-credentials <cluster-name> \ --project <project-name> --zone <zone>
That message is coming from the master trying to connect to the node (the flow of traffic is kubectl -> master API -> kubelet -> container
). When starting the master, are you setting --kubelet_certificate_authority
? If so, the master expects to be able to validate the kubelet's serving cert, which means it needs to be valid for the hostnames/IP addresses the master uses to connect to it.