api kubernetes ssl-client-authentication

K8S (1.9) how to access API server with client certifiicate

Qustion

How can I access the API server API with the client certificate? Tried below but no success.

export K8S_PKI_HOME=/etc/kubernetes/pki
curl -k --key ${K8S_PKI_HOME}/ca.key --cert ${K8S_PKI_HOME}/ca.crt \
https://localhost:6443/api/v1/componentstatuses

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "componentstatuses is forbidden: User \"kubernetes\" cannot list componentstatuses at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "componentstatuses"
  },
  "code": 403
}

According to X509 Client Certs (Authentication Strategy:

Client certificate authentication is enabled by passing the --client-ca-file=SOMEFILE option to API server.

In the /etc/kubernetes/manifests/kube-apiserver.yaml, --client-ca-file=/etc/kubernetes/pki/ca.crt is specified.

spec:
  containers:
  - command:
    - kube-apiserver
    - --client-ca-file=/etc/kubernetes/pki/ca.crt

Solution

Found the client certificate and key were wrong.

# sudo curl -iv -L \
>      --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
>      --key  /etc/kubernetes/pki/apiserver-kubelet-client.key \
>      --cacert /etc/kubernetes/pki/ca.crt \
> https://172.31.4.117:6443/healthz
* About to connect() to 172.31.4.117 port 6443 (#0)
*   Trying 172.31.4.117...
* Connected to 172.31.4.117 (172.31.4.117) port 6443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/kubernetes/pki/ca.crt
  CApath: none
* NSS: client certificate from file
*   subject: CN=kube-apiserver-kubelet-client,O=system:masters
*   start date: Dec 23 05:13:30 2017 GMT
*   expire date: Dec 23 05:13:30 2018 GMT
*   common name: kube-apiserver-kubelet-client
*   issuer: CN=kubernetes
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN=kube-apiserver
*   start date: Dec 23 05:13:30 2017 GMT
*   expire date: Dec 23 05:13:30 2018 GMT
*   common name: kube-apiserver
*   issuer: CN=kubernetes
> GET /healthz HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.31.4.117:6443
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Mon, 25 Dec 2017 02:10:15 GMT
Date: Mon, 25 Dec 2017 02:10:15 GMT
< Content-Length: 2
Content-Length: 2
< Content-Type: text/plain; charset=utf-8
Content-Type: text/plain; charset=utf-8

< 
* Connection #0 to host 172.31.4.117 left intact
ok