Hello,
I am following CKA course. In etcd example video shows to run following command :
kubectl exec etcd-master -n kube-system etcdctl get / --prefix -keys-only
but I am getting error as Error: unknown flag: --prefix.
May I know if I am doing something wrong here. Attached is the screenshot from course video and my environment.
Thanks
Ashish
Hello @06ashishrawat
Let me know.
kubectl exec etcd-master -n kube-system – etcdctl get / --prefix --keys-only
Hello @Tej-Singh-Rana here is the output :
[root@master ~]# kubectl exec etcd-master -n kube-system – etcdctl get / --prefix --keys-only
Error: unknown flag: --prefix
See ‘kubectl exec --help’ for usage.
[root@master ~]#
Thanks
Ashish
Where you are performing this?
In my k8s cluster, it’s a three node cluster.1 master and 2 worker.
here is the details :
[root@master ~]# kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
master Ready master 47d v1.18.6 192.168.120.220 CentOS Linux 7 (Core) 3.10.0-1127.13.1.el7.x86_64 docker://1.13.1
worker-1 Ready 47d v1.18.6 192.168.120.221 CentOS Linux 7 (Core) 3.10.0-1127.13.1.el7.x86_64 docker://1.13.1
worker-2 Ready 47d v1.18.6 192.168.120.222 CentOS Linux 7 (Core) 3.10.0-1127.13.1.el7.x86_64 docker://1.13.1
[root@master ~]#
Thanks
Ashish
kubectl exec etcd-master -n kube-system -- etcdctl get / --prefix --keys-only --cacert /etc/kubernetes/pki/etcd/ca.crt --key /etc/kubernetes/pki/etcd/server.key --cert /etc/kubernetes/pki/etcd/server.crt
ETCDCTL_API='3' etcdctl get / --prefix --keys-only \
--cacert /etc/kubernetes/pki/etcd/ca.crt \
--key /etc/kubernetes/pki/etcd/server.key \
--cert /etc/kubernetes/pki/etcd/server.crt \
--endpoints=127.0.0.1:2379
Try from your terminal without mention, etcd-master Pod.
This one is working :
[root@master ~]# kubectl exec etcd-master -n kube-system – etcdctl get / --prefix --keys-only --cacert /etc/kubernetes/pki/etcd/ca.crt --key /etc/kubernetes/pki/etcd/server.key --cert /etc/kubernetes/pki/etcd/server.crt
/registry/apiregistration.k8s.io/apiservices/v1.
/registry/apiregistration.k8s.io/apiservices/v1.admissionregistration.k8s.io
Thanks, at this point I won’t ask how and why 
I am sure in future topics all this will get clear.
As usual, thanks a lot for your great support all the time.
It should be work. But continue new releases and bug fixes. So they changed process time to time. To make it more secure.
great, thanks a lot for clarification…
i got similar error, certificate path is different. resolved by this command
kubectl exec etcd-docker-desktop -n kube-system – etcdctl get / --prefix --keys-only --cacert /run/config/pki/etcd/ca.crt --key /run/config/pki/etcd/server.key --cert /run/config/pki/etcd/server.crt |wc -l
644
The difference here is which container you’re using for “exec”. The path you see might be specific to Docker Desktop. I tried this in a kubeadm install from one of our playgrounds, and the certs are at a different location, as you can see here:
controlplane ~ ➜ ps -aef | grep etcd
root 2691 2145 0 01:51 ? 00:03:25 kube-apiserver --advertise-address=192.168.59.178 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-issuer=https://kubernetes.default.svc.cluster.local --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-account-signing-key-file=/etc/kubernetes/pki/sa.key --service-cluster-ip-range=172.20.0.0/16 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
root 2778 2157 0 01:51 ? 00:01:46 etcd --advertise-client-urls=https://192.168.59.178:2379 --cert-file=/etc/kubernetes/pki/etcd/server.crt --client-cert-auth=true --data-dir=/var/lib/etcd --feature-gates=InitialCorruptCheck=true --initial-advertise-peer-urls=https://192.168.59.178:2380 --initial-cluster=controlplane=https://192.168.59.178:2380 --key-file=/etc/kubernetes/pki/etcd/server.key --listen-client-urls=https://127.0.0.1:2379,https://192.168.59.178:2379 --listen-metrics-urls=http://127.0.0.1:2381 --listen-peer-urls=https://192.168.59.178:2380 --name=controlplane --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt --peer-client-cert-auth=true --peer-key-file=/etc/kubernetes/pki/etcd/peer.key --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt --snapshot-count=10000 --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt --watch-progress-notify-interval=5s
root 60826 55512 0 03:00 pts/2 00:00:00 grep --color=auto etcd
controlplane ~ ➜ ls /proc/2778/root/etc/kubernetes/pki/etcd/
ca.crt healthcheck-client.crt peer.crt server.crt
ca.key healthcheck-client.key peer.key server.key