Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

TLS 1.3 not supported #1285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Corbeau3000 opened this issue May 2, 2023 · 4 comments
Closed

TLS 1.3 not supported #1285

Corbeau3000 opened this issue May 2, 2023 · 4 comments

Comments

@Corbeau3000
Copy link

It becomes impossible to connect to the Kubernetes cluster once the kube-apiserver is configured to accept TLS 1.3 and higher.
The error obtained is :

The SSL connection could not be established, see inner exception.

Stack Trace :

à System.Net.Http.ConnectHelper.d__2.MoveNext()
à System.Threading.Tasks.ValueTask1.get_Result() à System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult()
à System.Net.Http.HttpConnectionPool.d__97.MoveNext()
à System.Threading.Tasks.ValueTask1.get_Result() à System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult()
à System.Net.Http.HttpConnectionPool.d__78.MoveNext()
à System.Threading.Tasks.TaskCompletionSourceWithCancellation1.<WaitWithCancellationAsync>d__1.MoveNext() à System.Threading.Tasks.ValueTask1.get_Result()
à System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult() à System.Net.Http.HttpConnectionPool.<GetHttp2ConnectionAsync>d__80.MoveNext() à System.Threading.Tasks.ValueTask1.get_Result()
à System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult() à System.Net.Http.HttpConnectionPool.<SendWithVersionDetectionAndRetryAsync>d__84.MoveNext() à System.Threading.Tasks.ValueTask1.get_Result()
à System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult() à System.Net.Http.RedirectHandler.<SendAsync>d__4.MoveNext() à System.Net.Http.HttpClient.<<SendAsync>g__Core|83_0>d.MoveNext() à k8s.Kubernetes.<SendRequestRaw>d__48.MoveNext() à k8s.AbstractKubernetes.<k8s-ICoreV1Operations-ListNamespaceWithHttpMessagesAsync>d__19.MoveNext() à k8s.CoreV1OperationsExtensions.<ListNamespaceAsync>d__15.MoveNext() à k8s.CoreV1OperationsExtensions.ListNamespace(ICoreV1Operations operations, Nullable1 allowWatchBookmarks, String continueParameter, String fieldSelector, String labelSelector, Nullable1 limit, String resourceVersion, String resourceVersionMatch, Nullable1 sendInitialEvents, Nullable1 timeoutSeconds, Nullable1 watch, Nullable1 pretty) à Cogiweb.Logging.Collector.Services.Kubernetes.KubernetesEventWatcher.GetLogs(Nullable1 since, Boolean follow) dans C:\projets\cogiweb.logging\Cogiweb.Logging.Collector\Services\Kubernetes\KubernetesEventWatcher.cs :ligne 59
à Cogiweb.Logging.Collector.Services.Kubernetes.KubernetesEventWatcher.GetTodaysEvents() dans C:\projets\cogiweb.logging\Cogiweb.Logging.Collector\Services\Kubernetes\KubernetesEventWatcher.cs :ligne 39
à Cogiweb.Logging.Collector.Services.EventWatcher.CheckForMissed() dans C:\projets\cogiweb.logging\Cogiweb.Logging.Collector\Services\EventWatcher.cs :ligne 46
à Cogiweb.Logging.Collector.Services.LogCollector.Run() dans C:\projets\cogiweb.logging\Cogiweb.Logging.Collector\Services\LogCollector.cs :ligne 43
à System.Threading.Thread.StartCallback()

Kubernetes C# SDK Client Version
11.0.9

Server Kubernetes Version
1.25.6

Dotnet Runtime Version
net6

To Reproduce
Create a Kubernetes cluster with the following configuration :

cat > ./kubeadm_conf.yml <<EOF
apiVersion: kubeadm.k8s.io/v1beta3
kind: InitConfiguration
nodeRegistration:
  criSocket: "unix:///run/containerd/containerd.sock"

---
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
kubernetesVersion: v1.25.6
clusterName: "test"
networking:
  podSubnet: "10.244.0.0/16" # --pod-network-cidr
controlPlaneEndpoint: "[PUT_YOUR_IP_ADDRESS]:6443"
apiServer:
  extraArgs:
    tls-min-version: "VersionTLS13"
EOF
sudo kubeadm init --config ./kubeadm_conf.yml --upload-certs

# Copy the configs:
mkdir -p $HOME/.kube
sudo cp /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

Where do you run your app with Kubernetes SDK (please complete the following information):

  • OS: Windows 10
  • Environment : native
  • On prem
@tg123
Copy link
Member

tg123 commented May 2, 2023

this is windows 10's fault

https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman#tls-dtls-and-ssl-protocol-version-settings

@Corbeau3000
Copy link
Author

this is windows 10's fault

https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman#tls-dtls-and-ssl-protocol-version-settings

Windows 10 is preventing this library from working with TLS 1.3 but not kubectl?

@tg123
Copy link
Member

tg123 commented May 3, 2023

see #1112

@brendandburns
Copy link
Contributor

For details, kubectl is built using golang which includes it's own implementation of TLS (https://pkg.go.dev/crypto/tls) which is why it works, whereas C# uses the system TLS.

@kubernetes-client kubernetes-client locked and limited conversation to collaborators Sep 23, 2023
@tg123 tg123 converted this issue into discussion #1408 Sep 23, 2023

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tg123 @Corbeau3000 @brendandburns