Lab related Question: ``` The kube-api server stopped again! Check it out. Insp . . .

nitish gavankar:
Lab related Question:

The kube-api server stopped again! Check it out. Inspect the kube-api server logs and identify the root cause and fix the issue.

Run crictl ps -a command to identify the kube-api server container. Run crictl logs container-id command to view the logs. 

So the Answer is the - --etcd-cafile=/etc/kubernetes/pki/ca.crt this was set incorrectly.

But How will I know which is the correct CA ?

}. Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: certificate signed by unknown authority"
W0817 14:07:55.606233       1 logging.go:59] [core] [Channel #1 SubChannel #2] grpc: addrConn.createTransport failed to connect to {
  "Addr": "", ----------> 
  "ServerName": "",
  "Attributes": null,
  "BalancerAttributes": null,
  "Type": 0,
  "Metadata": null

Based on this I guessed that there is something wrong with ETCD

"Addr": "", ----------> 

But I didnt understand how shall I conclude that the CA certificate was wrong.
Coz all 3 ETCD related files are located in */pki folder. Only the CA file should be from */pki/etcd folder

  • –etcd-cafile=/etc/kubernetes/pki/ca.crt
  • –etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    • –etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key

Does that mean, for every Kube-apiserver, the CA.crt file provided for etcd should be ETCD CA only and cant be Kube-apiserver CA?

nitish gavankar:
Also, shall we expect such questions in Exam. If so, do we need to check each and every cert line by line ?

nitish gavankar:
I saw the solution too.
MM assumes that ETCD has different CA.

Shall we also assume that ETCD will have differnt CA everytime or we need to check the certificate in detail?

Ly Quoc Bao:
Hey @nitish gavankar,
Actually, I have a little confused about your point. Could you please send me the link lab?

nitish gavankar:
Sure :

Its from CKA -> Security -> practice-test-view-certificate-details

Ly Quoc Bao:
Hey, please refer to
We have multiple intermediate CAs which are generated from root CA and configured correctly CN.
How certificates are used by your cluster:
• Client certificates for the kubelet to authenticate to the API server
• Client certificate for the API server to talk to etcd
Hope it helps!

nitish gavankar:
Thank you Raymond. I will check this throrughly and get back to you.