September 28, 2018
Reporting Image Version Information Inside Kubernetes
In a recent project that uses Kubernetes for job processing I would have liked to have recorded data about the build of the system in conjunction with the output.
Particularly, it is possible to change some of the algorithms used and having a recording of the image specs along with the reference data identities would have been nice. Note that the customer has not requested this information, but the principle applies.
I would have liked to set some configuration or some env field with the image name string from the image field of the container spec.
Summary
Ended up with a service with the following URLS for example:
http://sa-data-store.sbnl.com:32714/kube-meta/namespaces[{"name":"sa","url":"http:\/\/sa-data-store.sbnl.com:32714\/kube-meta\/namespaces\/sa"}.....http://sa-data-store.sbnl.com:32714/kube-meta/namespaces/sa[{"name":"sa-server","image":"sa-server:0.0.1"},.....http://sa-data-store.sbnl.com:32714/kube-meta/namespaces/int[{"name":"reference-db","image":"postgres:10.4"},.....This is all I need the service to do.
I tried a couple of solutions using env vars in the pod:
Perhaps
containers[0].podStatus.image
would work, but it doesnt.
From the api docs https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.12/#envvarsource-v1-core
Object field selector :
Selects a field of the pod: supports metadata.name, metadata.namespace, metadata.labels, metadata.annotations, spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP.
Resource field selector :
Selects a resource of the container: only resources limits and requests (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported.
After a bit more googling, from https://stackoverflow.com/questions/30690186/how-do-i-access-the-kubernetes-api-from-within-a-pod-container
And
https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#accessing-the-api-from-a-pod
We find :
KUBE_TOKEN=$(</var/run/secrets/kubernetes.io/serviceaccount/token)
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" \
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/sa/pods/$HOSTNAMEThis example call to the api returns data about the current pod. I ran the command from my sa data server in namespace sa (on minikube). This gives the following json including the image name image": "sa-server:0.0.1 at spec.containers[0].image
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "sa-server-85478794fb-s97z2",
"generateName": "sa-server-85478794fb-",
"namespace": "sa",
"selfLink": "/api/v1/namespaces/sa/pods/sa-server-85478794fb-s97z2",
"uid": "3d579d5d-c0d6-11e8-a8f9-0800275f0a44",
"resourceVersion": "1103416",
"creationTimestamp": "2018-09-25T15:18:21Z",
"labels": {
"app": "sa-server",
"pod-template-hash": "4103435096"
},
"ownerReferences": [
{
"apiVersion": "extensions/v1beta1",
"kind": "ReplicaSet",
"name": "sa-server-85478794fb",
"uid": "3d107a85-c0d6-11e8-a8f9-0800275f0a44",
"controller": true,
"blockOwnerDeletion": true
}
]
},
"spec": {
"volumes": [
{
"name": "sa-data",
"hostPath": {
"path": "/tmp/sa-data",
"type": "Directory"
}
},
{
"name": "default-token-qnpcs",
"secret": {
"secretName": "default-token-qnpcs",
"defaultMode": 420
}
}
],
"containers": [
{
"name": "sa-server",
"image": "sa-server:0.0.1",
"ports": [
{
"name": "sa-server",
"containerPort": 3000,
"protocol": "TCP"
}
],
"env": [
{
"name": "SA_DATA_HOME",
"value": "/var/lib/sa-data-home"
}
],
"resources": {
},
"volumeMounts": [
{
"name": "sa-data",
"mountPath": "/var/lib/sa-data-home"
},
{
"name": "default-token-qnpcs",
"readOnly": true,
"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"
}
],
"terminationMessagePath": "/dev/termination-log",
"terminationMessagePolicy": "File",
"imagePullPolicy": "IfNotPresent"
}
],
"restartPolicy": "Always",
"terminationGracePeriodSeconds": 30,
"dnsPolicy": "ClusterFirst",
"serviceAccountName": "default",
"serviceAccount": "default",
"nodeName": "minikube",
"securityContext": {
},
"schedulerName": "default-scheduler",
"tolerations": [
{
"key": "node.kubernetes.io/not-ready",
"operator": "Exists",
"effect": "NoExecute",
"tolerationSeconds": 300
},
{
"key": "node.kubernetes.io/unreachable",
"operator": "Exists",
"effect": "NoExecute",
"tolerationSeconds": 300
}
]
},
"status": {
"phase": "Running",
"conditions": [
{
"type": "Initialized",
"status": "True",
"lastProbeTime": null,
"lastTransitionTime": "2018-09-25T15:18:22Z"
},
{
"type": "Ready",
"status": "True",
"lastProbeTime": null,
"lastTransitionTime": "2018-09-25T15:18:28Z"
},
{
"type": "PodScheduled",
"status": "True",
"lastProbeTime": null,
"lastTransitionTime": "2018-09-25T15:18:21Z"
}
],
"hostIP": "192.168.99.100",
"podIP": "172.17.0.13",
"startTime": "2018-09-25T15:18:22Z",
"containerStatuses": [
{
"name": "sa-server",
"state": {
"running": {
"startedAt": "2018-09-25T15:18:26Z"
}
},
"lastState": {
},
"ready": true,
"restartCount": 0,
"image": "sa-server:0.0.1",
"imageID": "docker://sha256:86c686408ca3d4bb55902e49f1fb8915f03e7ee88417206db2c14008a3caa4ec",
"containerID": "docker://bd3db64e9b3ee341e2226509694733ef558fe4ea25f3a2602e350a93cea559e8"
}
],
"qosClass": "BestEffort"
}
}The command can get all the pods in a given namespace like :
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" \
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespaces/sa/podsAll the namespaces like :
curl -sSk -H "Authorization: Bearer $KUBE_TOKEN" \
https://$KUBERNETES_SERVICE_HOST:$KUBERNETES_PORT_443_TCP_PORT/api/v1/namespacesWhich in my case gives :
{
"kind": "NamespaceList",
"apiVersion": "v1",
"metadata": {
"selfLink": "/api/v1/namespaces",
"resourceVersion": "1205013"
},
"items": [
{
"metadata": {
"name": "default",
"selfLink": "/api/v1/namespaces/default",
"uid": "ebc0c145-58f5-11e8-9db9-0800275f0a44",
"resourceVersion": "19",
"creationTimestamp": "2018-05-16T10:43:08Z"
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
},
{
"metadata": {
"name": "int",
"selfLink": "/api/v1/namespaces/int",
"uid": "bce05102-58f9-11e8-9db9-0800275f0a44",
"resourceVersion": "1183",
"creationTimestamp": "2018-05-16T11:10:27Z"
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
},
{
"metadata": {
"name": "kube-public",
"selfLink": "/api/v1/namespaces/kube-public",
"uid": "ec60793c-58f5-11e8-9db9-0800275f0a44",
"resourceVersion": "39",
"creationTimestamp": "2018-05-16T10:43:09Z"
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
},
{
"metadata": {
"name": "kube-system",
"selfLink": "/api/v1/namespaces/kube-system",
"uid": "eb3dc71d-58f5-11e8-9db9-0800275f0a44",
"resourceVersion": "90",
"creationTimestamp": "2018-05-16T10:43:07Z",
"annotations": {
"kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Namespace\",\"metadata\":{\"annotations\":{},\"name\":\"kube-system\",\"namespace\":\"\"}}\n"
}
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
},
{
"metadata": {
"name": "kubeless",
"selfLink": "/api/v1/namespaces/kubeless",
"uid": "5298da63-afb7-11e8-83c8-0800275f0a44",
"resourceVersion": "785122",
"creationTimestamp": "2018-09-03T20:24:13Z"
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
},
{
"metadata": {
"name": "sa",
"selfLink": "/api/v1/namespaces/sa",
"uid": "a0352854-c0d0-11e8-a8f9-0800275f0a44",
"resourceVersion": "1101764",
"creationTimestamp": "2018-09-25T14:38:10Z"
},
"spec": {
"finalizers": [
"kubernetes"
]
},
"status": {
"phase": "Active"
}
}
]
}We can get all the namespaces, and from that list get all the pods for a namespace, and from that list get the image name for each container.
Next we build a clojure library to get the data and a service to make it available. This would probably be better (smaller and faster) in golang but simple steps first.
Progress 4-10-2018
Created a web service to deliver the namespace list and the pod names and image names lists.
Examples Of Pod Name And version Outputs
http://sa-data-store.sbnl.com:32714/kube-meta/namespaces
[{"name":"sa","url":"http:\/\/sa-data-store.sbnl.com:32714\/kube-meta\/namespaces\/sa"},
{"name":"kubeless","url":"http:\/\/sa-data-store.sbnl.com:32714\/kube-meta\/namespaces\/kubeless"},
{"name":"kube-system","url":"http:\/\/sa-data-store.sbnl.com:32714\/kube-meta\/namespaces\/kube-system"},
{"name":"kube-public","url":"http:\/\/sa-data-store.sbnl.com:32714\/kube-meta\/namespaces\/kube-public"},
{"name":"int","url":"http:\/\/sa-data-store.sbnl.com:32714\/kube-meta\/namespaces\/int"},
{"name":"default","url":"http:\/\/sa-data-store.sbnl.com:32714\/kube-meta\/namespaces\/default"}]
http://sa-data-store.sbnl.com:32714/kube-meta/namespaces/sa
[{"name":"sa-server","image":"sa-server:0.0.1"},
{"name":"sa-client-server","image":"sa-client-server:0.0.1"},
{"name":"kube-meta","image":"kube-meta:0.0.1"}]
http://sa-data-store.sbnl.com:32714/kube-meta/namespaces/int
[{"name":"reference-db","image":"postgres:10.4"},
{"name":"pre-puller","image":"jupyterhub\/k8s-pre-puller:v0.6"},
{"name":"pre-puller","image":"jupyterhub\/k8s-pre-puller:v0.6"},
{"name":"airspace-db","image":"airspace-db:0.2.0"}]
Debugging
Since increasing the k8s version to 1.11 my kube-meta no longer works. Access to the API is being refused. A wget gives a 403 and then later just timesout or the connection is reset by peer.
l8s Version
Is version 1.11
kubectl version Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.0", GitCommit:"925c127ec6b946659ad0fd596fa959be43f0cc05", GitTreeState:"clean", BuildDate:"2017-12-15T21:07:38Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.3", GitCommit:"a4529464e4629c21224b3d52edfe0ea91b072862", GitTreeState:"clean", BuildDate:"2018-09-09T17:53:03Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"} kubectl logs <pod-name> -n saLog into the running pod
kubectl exec -it <pod-name> -n sa /bin/ashTry wget on the kubernetes api
echo ${KUBERNETES_SERVICE_PORT} ->
443echo ${KUBERNETES_SERVICE_HOST} ->
10.96.0.1wget --timeout 3 --server-response https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/ ->wget: error getting response: Connection reset by peerThis fails
wget --timeout 3 --server-response https://${KUBERNET
ES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/
Connecting to 10.96.0.1:443 (10.96.0.1:443)
ssl_client: 10.96.0.1: certificate verification failed: unable to get local issuer certificate
wget: error getting response: Connection reset by peerTried to use openssl to debug the problem.
openssl s_client -connect ${KUBERNETES_SERVICE_HOST}:443 -debug
CONNECTED(00000003)
write to 0x5559d2f4d3a0 [0x5559d3048c20] (307 bytes => 307 (0x133))
0000 - 16 03 01 01 2e 01 00 01-2a 03 03 49 84 84 72 f7 ........*..I..r.
0010 - 34 8b c3 2e bc 05 ea 74-f6 9f d6 04 f0 10 e2 be 4......t........
0020 - 25 f8 a2 fc a5 b9 73 3e-40 40 76 00 00 ac c0 30 %.....s>@@v....0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1 .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37 ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0 .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31 ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43 .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-00 07 c0 11 c0 07 c0 0c .<./...A........
00c0 - c0 02 00 05 00 04 c0 12-c0 08 00 16 00 13 00 10 ................
00d0 - 00 0d c0 0d c0 03 00 0a-00 ff 01 00 00 55 00 0b .............U..
00e0 - 00 04 03 00 01 02 00 0a-00 1c 00 1a 00 17 00 19 ................
00f0 - 00 1c 00 1b 00 18 00 1a-00 16 00 0e 00 0d 00 0b ................
0100 - 00 0c 00 09 00 0a 00 23-00 00 00 0d 00 20 00 1e .......#..... ..
0110 - 06 01 06 02 06 03 05 01-05 02 05 03 04 01 04 02 ................
0120 - 04 03 03 01 03 02 03 03-02 01 02 02 02 03 00 0f ................
0130 - 00 01 01 ...
read from 0x5559d2f4d3a0 [0x5559d304e1a0] (7 bytes => 7 (0x7))
0000 - 16 03 03 00 35 02 00 ....5..
read from 0x5559d2f4d3a0 [0x5559d304e1aa] (51 bytes => 51 (0x33))
0000 - 00 31 03 03 32 7d 7b ab-bf a5 0d a3 cd b0 1d f6 .1..2}{.........
0010 - c8 e7 8c c3 7e c6 ea f8-bc d5 7a d6 99 98 cb 89 ....~.....z.....
0020 - 39 ab 15 bb 00 c0 2f 00-00 09 00 23 00 00 ff 01 9...../....#....
0030 - 00 01 00 ...
read from 0x5559d2f4d3a0 [0x5559d304e1a3] (5 bytes => 5 (0x5))
0000 - 16 03 03 03 a0 .....
read from 0x5559d2f4d3a0 [0x5559d304e1a8] (928 bytes => 928 (0x3A0))
0000 - 0b 00 03 9c 00 03 99 00-03 96 30 82 03 92 30 82 ..........0...0.
0010 - 02 7a a0 03 02 01 02 02-01 02 30 0d 06 09 2a 86 .z........0...*.
0020 - 48 86 f7 0d 01 01 0b 05-00 30 15 31 13 30 11 06 H........0.1.0..
0030 - 03 55 04 03 13 0a 6d 69-6e 69 6b 75 62 65 43 41 .U....minikubeCA
0040 - 30 1e 17 0d 31 38 31 30-31 34 32 30 30 32 35 30 0...181014200250
0050 - 5a 17 0d 31 39 31 30 31-35 32 30 30 32 35 30 5a Z..191015200250Z
0060 - 30 2c 31 17 30 15 06 03-55 04 0a 13 0e 73 79 73 0,1.0...U....sys
0070 - 74 65 6d 3a 6d 61 73 74-65 72 73 31 11 30 0f 06 tem:masters1.0..
0080 - 03 55 04 03 13 08 6d 69-6e 69 6b 75 62 65 30 82 .U....minikube0.
0090 - 01 22 30 0d 06 09 2a 86-48 86 f7 0d 01 01 01 05 ."0...*.H.......
00a0 - 00 03 82 01 0f 00 30 82-01 0a 02 82 01 01 00 a8 ......0.........
00b0 - 78 2d b0 f8 bd d2 88 f1-78 ba b8 bb 8a 8d 55 01 x-......x.....U.
00c0 - 24 09 ca c2 30 e0 11 91-2b 4c 39 f7 3f 2c bb ad $...0...+L9.?,..
00d0 - 7a b7 d3 3c de e0 14 3a-0a 96 f3 0a 44 4f a1 0c z..<...:....DO..
00e0 - 81 d9 a6 07 7d 69 6a 22-d0 d6 bd 5e e8 9e cd a7 ....}ij"...^....
00f0 - 15 69 08 d3 1e 25 c1 6e-f3 3d 1e 86 ea a9 50 5c .i...%.n.=....P\
0100 - 8f a6 bd ae 6c ff 65 e5-fc 28 b2 c4 8c b6 5b 45 ....l.e..(....[E
0110 - 82 fc 6e 85 7d c2 7d 0e-c4 11 07 1d 2d 89 3f a8 ..n.}.}.....-.?.
0120 - 01 c7 6c 30 ed 0e c4 67-58 8f e0 2c 39 d4 44 ff ..l0...gX..,9.D.
0130 - 3a 0f 44 a0 52 2a f2 51-48 78 b0 52 6b 79 81 df :.D.R*.QHx.Rky..
0140 - 55 f0 43 31 7f 3b f0 eb-86 56 fa 2e ad e1 89 72 U.C1.;...V.....r
0150 - 6f 25 2d 86 ff 4d 49 b5-40 d9 71 46 53 0a 0b 70 o%-..MI.@.qFS..p
0160 - 18 81 33 b3 1c 57 ea d5-b1 7c ec 74 9b e1 d2 68 ..3..W...|.t...h
0170 - 7d 45 87 06 c9 2c e4 00-20 33 05 f9 08 c1 b4 54 }E...,.. 3.....T
0180 - 7a 9d 4f 56 72 8a 05 53-b5 76 17 f4 3d a3 1f c2 z.OVr..S.v..=...
0190 - 4d 6c fc b1 c9 8a cd f2-13 16 16 6b eb b4 4b 69 Ml.........k..Ki
01a0 - 9f f7 b8 e8 6c 41 2c 39-80 6c 12 6f 3a f5 cf 02 ....lA,9.l.o:...
01b0 - 03 01 00 01 a3 81 d5 30-81 d2 30 0e 06 03 55 1d .......0..0...U.
01c0 - 0f 01 01 ff 04 04 03 02-05 a0 30 1d 06 03 55 1d ..........0...U.
01d0 - 25 04 16 30 14 06 08 2b-06 01 05 05 07 03 01 06 %..0...+........
01e0 - 08 2b 06 01 05 05 07 03-02 30 0c 06 03 55 1d 13 .+.......0...U..
01f0 - 01 01 ff 04 02 30 00 30-81 92 06 03 55 1d 11 04 .....0.0....U...
0200 - 81 8a 30 81 87 82 0a 6d-69 6e 69 6b 75 62 65 43 ..0....minikubeC
0210 - 41 82 24 6b 75 62 65 72-6e 65 74 65 73 2e 64 65 A.$kubernetes.de
0220 - 66 61 75 6c 74 2e 73 76-63 2e 63 6c 75 73 74 65 fault.svc.cluste
0230 - 72 2e 6c 6f 63 61 6c 82-16 6b 75 62 65 72 6e 65 r.local..kuberne
0240 - 74 65 73 2e 64 65 66 61-75 6c 74 2e 73 76 63 82 tes.default.svc.
0250 - 12 6b 75 62 65 72 6e 65-74 65 73 2e 64 65 66 61 .kubernetes.defa
0260 - 75 6c 74 82 0a 6b 75 62-65 72 6e 65 74 65 73 82 ult..kubernetes.
0270 - 09 6c 6f 63 61 6c 68 6f-73 74 87 04 c0 a8 63 64 .localhost....cd
0280 - 87 04 0a 60 00 01 87 04-0a 00 00 01 30 0d 06 09 ...`........0...
0290 - 2a 86 48 86 f7 0d 01 01-0b 05 00 03 82 01 01 00 *.H.............
02a0 - 27 cb 88 12 3c e9 cc dc-71 08 d4 10 b2 06 8c 69 '...<...q......i
02b0 - e1 5d f0 db e7 ce 6f 95-db 76 1c eb 98 dc 0b e6 .]....o..v......
02c0 - 1b 8c b7 49 39 68 68 d6-bb 96 3a 51 ea 28 cf 38 ...I9hh...:Q.(.8
02d0 - 7a 5d 06 ab 62 39 01 8f-26 84 c1 c2 2e a7 a3 99 z]..b9..&.......
02e0 - 29 64 87 04 90 10 a0 f8-77 c1 09 3d 88 34 d4 47 )d......w..=.4.G
02f0 - 0a 8c 45 44 7d 7b 6c 64-ae cf e5 c9 ee 94 1c 22 ..ED}{ld......."
0300 - 3a 0f 31 b7 16 01 be 77-eb 32 cd 56 6b 84 af a3 :.1....w.2.Vk...
0310 - 09 8d f2 2f 97 10 64 2a-97 4a 87 f8 20 2f 18 09 .../..d*.J.. /..
0320 - 04 ef 92 d7 3e a2 54 b7-65 ea cd 35 af 8e 10 d7 ....>.T.e..5....
0330 - dd fb bf 7f db 4f 14 c7-b5 fd fb 7f d6 d0 fa e2 .....O..........
0340 - 5c e6 b0 6c c6 30 81 78-f4 d7 88 b8 a0 05 2e 8d \..l.0.x........
0350 - da 93 c6 fd f5 52 b8 93-d9 b0 2d 0d 66 f2 2e f4 .....R....-.f...
0360 - fb 6d 5d da 3b 0e 72 3e-8b 70 66 9a 22 76 0d 58 .m].;.r>.pf."v.X
0370 - 09 33 e5 3a d5 10 57 eb-b7 53 a3 50 21 e5 e0 fc .3.:..W..S.P!...
0380 - ef 01 7e 8f 50 6c 55 09-01 04 ec d0 a0 98 09 c6 ..~.PlU.........
0390 - e3 25 5f 26 fe 92 34 4f-4a 80 4f b9 84 2b 99 9e .%_&..4OJ.O..+..
depth=0 O = system:masters, CN = minikube
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = system:masters, CN = minikube
verify error:num=21:unable to verify the first certificate
verify return:1
read from 0x5559d2f4d3a0 [0x5559d304e1a3] (5 bytes => 5 (0x5))
0000 - 16 03 03 01 4d ....M
read from 0x5559d2f4d3a0 [0x5559d304e1a8] (333 bytes => 333 (0x14D))
0000 - 0c 00 01 49 03 00 17 41-04 a0 d2 6b 95 c5 6d 70 ...I...A...k..mp
0010 - 72 bf 11 eb 88 39 b9 b9-14 d7 ed 6c 6a 24 f2 ca r....9.....lj$..
0020 - d7 d3 20 53 ee 1b 69 ae-ee 6e e6 c3 f0 97 94 17 .. S..i..n......
0030 - 15 ac 88 46 0b df 64 f0-c7 39 d3 79 8e 44 e6 63 ...F..d..9.y.D.c
0040 - 60 cb de c9 47 ab 71 8a-4b 06 01 01 00 8b cb 48 `...G.q.K......H
0050 - bb be bb d1 8b 31 a8 24-58 3a 1f 51 01 3f 63 4a .....1.$X:.Q.?cJ
0060 - bb f2 14 1d 86 e0 4a 50-15 3d 00 96 cd 5d 99 a6 ......JP.=...]..
0070 - 7b 9b 03 13 31 2f 0a 41-0c 65 64 57 11 d4 2a 20 {...1/.A.edW..*
0080 - a0 4c 09 04 f3 eb 62 98-fd 26 e3 98 f9 bd 6f 81 .L....b..&....o.
0090 - a3 8b f3 8d 8d a8 b9 46-0b 15 85 95 10 06 67 7f .......F......g.
00a0 - 92 61 f9 5a 06 f9 eb d3-c7 d3 31 e0 05 2e e1 12 .a.Z......1.....
00b0 - d8 69 fc c6 72 8f 9c c7-6a 05 40 20 b1 7a 8d 79 .i..r...j.@ .z.y
00c0 - a5 8b b5 8f a9 95 2a 6a-18 85 87 e4 f9 6c da 11 ......*j.....l..
00d0 - fd ce 80 11 e6 63 26 1d-f8 ef 02 9c d3 21 5e b5 .....c&......!^.
00e0 - f7 ff 71 ab b3 a6 9e cf-f1 ab 86 0c bd bd 10 5f ..q............_
00f0 - a8 95 5f 0e 68 a2 2e 8b-8d 15 41 de 7f 51 f3 35 .._.h.....A..Q.5
0100 - fe 93 37 c0 63 04 5b 0e-2f cb 6d b5 a2 61 20 75 ..7.c.[./.m..a u
0110 - 7c 77 e6 b8 6a b5 7c c2-28 46 29 62 03 1b e4 44 |w..j.|.(F)b...D
0120 - 4a c5 8c ae db a4 b4 f2-b0 30 f7 26 91 d8 0b 6b J........0.&...k
0130 - a3 bb 28 08 e0 a1 1c 72-ba 23 5a 08 ef 85 56 b6 ..(....r.#Z...V.
0140 - d5 90 d6 35 41 12 3e c8-14 3d 8a f6 80 ...5A.>..=...
read from 0x5559d2f4d3a0 [0x5559d304e1a3] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 4d ....M
read from 0x5559d2f4d3a0 [0x5559d304e1a8] (77 bytes => 77 (0x4D))
0000 - 0d 00 00 49 02 01 40 00-10 04 01 04 03 05 01 05 ...I..@.........
0010 - 03 06 01 06 03 02 01 02-03 00 32 00 17 30 15 31 ..........2..0.1
0020 - 13 30 11 06 03 55 04 03-13 0a 6d 69 6e 69 6b 75 .0...U....miniku
0030 - 62 65 43 41 00 17 30 15-31 13 30 11 06 03 55 04 beCA..0.1.0...U.
0040 - 03 13 0a 6b 75 62 65 72-6e 65 74 65 73 ...kubernetes
read from 0x5559d2f4d3a0 [0x5559d304e1a3] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 04 .....
read from 0x5559d2f4d3a0 [0x5559d304e1a8] (4 bytes => 4 (0x4))
0000 - 0e 00 00 00 ....
write to 0x5559d2f4d3a0 [0x5559d3057c60] (12 bytes => 12 (0xC))
0000 - 16 03 03 00 07 0b 00 00-03 00 00 00 ............
write to 0x5559d2f4d3a0 [0x5559d3057c60] (75 bytes => 75 (0x4B))
0000 - 16 03 03 00 46 10 00 00-42 41 04 4d 84 c3 0c ee ....F...BA.M....
0010 - 2a da be 73 c5 6b 4a ee-57 ed 16 52 d5 73 de f3 *..s.kJ.W..R.s..
0020 - fe 4c 39 79 bf 50 b8 37-c6 db 70 5f 2f 85 76 1d .L9y.P.7..p_/.v.
0030 - 06 51 6f 96 97 99 42 95-1d 5d 28 ba f6 aa 5c 38 .Qo...B..](...\8
0040 - 0c 2b 09 05 46 04 20 d3-db f6 3f .+..F. ...?
write to 0x5559d2f4d3a0 [0x5559d3057c60] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01 ......
write to 0x5559d2f4d3a0 [0x5559d3057c60] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 93 9e 15-f0 26 d1 c5 bd 7e 42 27 ....(....&...~B'
0010 - 16 c7 da af 0a 1c 8a 45-83 e6 ff 59 7b df 23 a8 .......E...Y{.#.
0020 - ef f1 9f 59 a1 60 57 bd-84 5b be 10 66 ...Y.`W..[..f
read from 0x5559d2f4d3a0 [0x5559d304e1a3] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 82 .....
read from 0x5559d2f4d3a0 [0x5559d304e1a8] (130 bytes => 130 (0x82))
0000 - 04 00 00 7e 00 00 00 00-00 78 15 eb d3 e4 3a 72 ...~.....x....:r
0010 - 43 b5 ad c9 af 52 b9 9d-92 06 8e 29 71 0f fc 9e C....R.....)q...
0020 - aa 3a 06 35 ca b0 77 36-11 ac 52 61 b0 a5 be 70 .:.5..w6..Ra...p
0030 - 71 9b d4 23 d4 da 8f 0f-89 2a 31 99 cf 51 7d 29 q..#.....*1..Q})
0040 - b2 84 00 b3 13 85 06 ea-0c 88 3f ac c9 f3 39 ba ..........?...9.
0050 - 7d 1c 32 c2 19 d5 7e 34-f9 ca fa 7a 6f cc 90 fd }.2...~4...zo...
0060 - d6 bb c0 57 14 63 dc 05-73 28 93 d0 54 e2 c8 5b ...W.c..s(..T..[
0070 - fd 1c 28 e2 3f 9c 9f c8-7e 23 ab 82 df 5a f2 f8 ..(.?...~#...Z..
0080 - b9 5d .]
read from 0x5559d2f4d3a0 [0x5559d304e1a3] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01 .....
read from 0x5559d2f4d3a0 [0x5559d304e1a8] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x5559d2f4d3a0 [0x5559d304e1a3] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 28 ....(
read from 0x5559d2f4d3a0 [0x5559d304e1a8] (40 bytes => 40 (0x28))
0000 - 00 00 00 00 00 00 00 00-1f 74 78 34 74 4f b6 db .........tx4tO..
0010 - 15 67 63 c2 b7 d4 77 9e-72 ac 63 aa 36 ca 8e 45 .gc...w.r.c.6..E
0020 - ce 8a 83 01 c4 95 81 24- .......$
---
Certificate chain
0 s:/O=system:masters/CN=minikube
i:/CN=minikubeCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDkjCCAnqgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwptaW5p
a3ViZUNBMB4XDTE4MTAxNDIwMDI1MFoXDTE5MTAxNTIwMDI1MFowLDEXMBUGA1UE
ChMOc3lzdGVtOm1hc3RlcnMxETAPBgNVBAMTCG1pbmlrdWJlMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqHgtsPi90ojxeLq4u4qNVQEkCcrCMOARkStM
Ofc/LLuterfTPN7gFDoKlvMKRE+hDIHZpgd9aWoi0Na9XuiezacVaQjTHiXBbvM9
HobqqVBcj6a9rmz/ZeX8KLLEjLZbRYL8boV9wn0OxBEHHS2JP6gBx2ww7Q7EZ1iP
4Cw51ET/Og9EoFIq8lFIeLBSa3mB31XwQzF/O/Drhlb6Lq3hiXJvJS2G/01JtUDZ
cUZTCgtwGIEzsxxX6tWxfOx0m+HSaH1FhwbJLOQAIDMF+QjBtFR6nU9WcooFU7V2
F/Q9ox/CTWz8scmKzfITFhZr67RLaZ/3uOhsQSw5gGwSbzr1zwIDAQABo4HVMIHS
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
DAYDVR0TAQH/BAIwADCBkgYDVR0RBIGKMIGHggptaW5pa3ViZUNBgiRrdWJlcm5l
dGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWyCFmt1YmVybmV0ZXMuZGVmYXVs
dC5zdmOCEmt1YmVybmV0ZXMuZGVmYXVsdIIKa3ViZXJuZXRlc4IJbG9jYWxob3N0
hwTAqGNkhwQKYAABhwQKAAABMA0GCSqGSIb3DQEBCwUAA4IBAQAny4gSPOnM3HEI
1BCyBoxp4V3w2+fOb5XbdhzrmNwL5huMt0k5aGjWu5Y6Ueoozzh6XQarYjkBjyaE
wcIup6OZKWSHBJAQoPh3wQk9iDTURwqMRUR9e2xkrs/lye6UHCI6DzG3FgG+d+sy
zVZrhK+jCY3yL5cQZCqXSof4IC8YCQTvktc+olS3ZerNNa+OENfd+79/208Ux7X9
+3/W0PriXOawbMYwgXj014i4oAUujdqTxv31UriT2bAtDWbyLvT7bV3aOw5yPotw
Zpoidg1YCTPlOtUQV+u3U6NQIeXg/O8Bfo9QbFUJAQTs0KCYCcbjJV8m/pI0T0qA
T7mEK5me
-----END CERTIFICATE-----
subject=/O=system:masters/CN=minikube
issuer=/CN=minikubeCA
---
Acceptable client certificate CA names
/CN=minikubeCA
/CN=kubernetes
Client Certificate Types: RSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1606 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: A4E7EE7C620A346A6ED8596C975E7F34513161466410FFB876CF01DDA052A6AF
Session-ID-ctx:
Master-Key: 2409316634C56E6B9C73C8BF384CB0B4BFCEDEDA0A9B2CE154335A3A3867A9DAD50D5E26DDA0AF129C746074F0D7AD3D
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket:
0000 - 15 eb d3 e4 3a 72 43 b5-ad c9 af 52 b9 9d 92 06 ....:rC....R....
0010 - 8e 29 71 0f fc 9e aa 3a-06 35 ca b0 77 36 11 ac .)q....:.5..w6..
0020 - 52 61 b0 a5 be 70 71 9b-d4 23 d4 da 8f 0f 89 2a Ra...pq..#.....*
0030 - 31 99 cf 51 7d 29 b2 84-00 b3 13 85 06 ea 0c 88 1..Q})..........
0040 - 3f ac c9 f3 39 ba 7d 1c-32 c2 19 d5 7e 34 f9 ca ?...9.}.2...~4..
0050 - fa 7a 6f cc 90 fd d6 bb-c0 57 14 63 dc 05 73 28 .zo......W.c..s(
0060 - 93 d0 54 e2 c8 5b fd 1c-28 e2 3f 9c 9f c8 7e 23 ..T..[..(.?...~#
0070 - ab 82 df 5a f2 f8 b9 5d- ...Z...]
Start Time: 1539696390
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
Diagnosing TLS With Open SSl
See https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html
openssl version ->
OpenSSL 1.0.2o 27 Mar 2018openssl version -a ->OpenSSL 1.0.2o 27 Mar 2018
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_BUF_FREELISTS -Os -fomit-frame-pointer -Os -fomit-frame-pointer -g -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/ssl"