Hello, I’m lost at a problem I’m not able to debug further, maybe I can find help here.
In a new cluster v1.29 I can do
curl -k
--cacert /etc/pki/root_ca/k8s_intermediate_ca/test-k8s-controller-1-admin/test-k8s-controller-1-admin.chain
--cert /etc/pki/root_ca/k8s_intermediate_ca/test-k8s-controller-1-admin/test-k8s-controller-1-admin.pem
--key /etc/pki/root_ca/k8s_intermediate_ca/test-k8s-controller-1-admin/test-k8s-controller-1-admin-key.pem
<https://localhost:6443/api/v1/namespaces/default/pods>
successfully
but if I use
kubectl --kubeconfig /root/.kube/admin.kubeconfig get pods with the config create from the same certs I get
couldn't get current server API group list: Get "<https://localhost:6443/api?timeout=32s>": tls: failed to verify certificate: x509: certificate specifies an incompatible key usage
To be honest I’m not sure about the key usage that the admin should have, I used “digital signature”, “key encipherment”, “client auth”, “server auth”, would be great to receive a pointer to were this info are documented
any idea?