Services and ports

Services can be placed in two groups based on the network interface they bind to. Services binding to the localhost interface are only available from within the host. Services binding to the default host interface are available from outside the host and thus are subject to access restrictions.

Services binding to the default Host interface

Port Service Access Restrictions
16443 API server SSL encrypted. Clients need to present a valid password from a Static Password File.
10250 kubelet Anonymous authentication is disabled. X509 client certificate is required.
10255 kubelet Read only port for the Kubelet.
25000 cluster-agent Proper token required to authorise actions.
12379 etcd SSL encrypted. Client certificates required to connect.
10257 kube-controller Serve HTTPS with authentication and authorization.
10259 kube-scheduler Serve HTTPS with authentication and authorization.
19001 dqlite SSL encrypted. Client certificates required to connect.
4789/udp calico Calico networking with VXLAN enabled.

Services binding to the localhost interface

Port Service Description
10248 kubelet Localhost healthz endpoint.
10249 kube-proxy Port for the metrics server to serve on.
10251 kube-schedule Port on which to serve HTTP insecurely.
10252 kube-controller Port on which to serve HTTP insecurely.
10256 kube-proxy Port to bind the health check server.
2380 etcd Used for peer connections.
1338 containerd Metrics port

Containerd and etcd

Both these services are exposed through unix sockets.

Service Socket
containerd unix:///var/snap/microk8s/common/run/containerd.sock

Authentication and authorization

Upon deployment MicroK8s creates a Certificate Authority, a signed server certificate and a service account key file. These files are stored under /var/snap/microk8s/current/certs/. Kubelet and the API server are aware of the same CA and so the signed server certificate is used by the API server to authenticate with kubelet (--kubelet-client-certificate).

Initially the server certificates will be issued for:

  • localhost and all the ip addresses avaliable on the machine, typically it’s LAN address
  • various mDNS addresses, such as kubernetes.default and kubernetes.default.svc.cluster.local

This will only allow Kubectl to access the API server locally, to access it through the internet and a real domain name you must add it to the file /var/snap/microk8s/current/certs/csr.conf.template, for example:

[ alt_names ]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
DNS.6 = mydomain.com

After changing, refresh the certificates with:

sudo microk8s refresh-certs --cert server.crt

This will generate new certs and restart the apiserver. Your DNS server settings and
kubeconfig file must be updated appropriately.

Clients talking to the secure port of the API server (16443), such as the Kubectl command line utility, have to be aware of the CA (certificate-authority-data in user kubeconfig).

The authentication strategies enabled by default are:

  • Static Token File with tokens in /var/snap/microk8s/current/credentials/known_tokens.csv
  • X509 Client Certs with the client CA file set to /var/snap/microk8s/current/certs/ca.crt

Prior to version 1.19, the following strategy is also available:

  • Static Password File with password tokens and usernames stored in /var/snap/microk8s/current/credentials/basic_auth.csv

Under /var/snap/microk8s/current/credentials/ you can find the client.config kubeconfig file used by microk8s kubectl.

By default all authenticated requests are authorized as the api-server runs with --authorization-mode=AlwaysAllow. Turning on RBAC is done through microk8s enable rbac.

References

HI,
not documented how to authenticate (user/pass) to grafana.
In How to change dashboard / grafana login credentials? · Issue #389 · ubuntu/microk8s · GitHub it says to use /var/snap/microk8s/current/credentials/basic_auth.csv but here it says it for versions prior to 1.19.
What user/pass to user for auth to grafana for versions after 1.19?

I think the user/password is printed after enabling the prometheus addon.
I recall it to be admin/admin default. It prompts you to change after your first login.

1 Like

It worked! Thanks a lot. :smile:
I must have missed the prompt when enabling prometheus. I enabled a lot of add-ons at the same time.
There must be a better way to document this :thinking:.

** After changing, the apiserver-kicker will automatically detect the difference, generate new certs and restart the apiserver.**

This does not appear to be true. However, it should be documented that the following will properly generate new certificates:

sudo microk8s refresh-certs
1 Like

can we please add this hint to the official documentation? Took me 2hours and only hit the refresh-certs sub-command by luck. How about:

After changing, refresh the certificates with:

sudo microk8s refresh-certs

This will generate new certs and restart the apiserver. Your DNS server settings and
kubeconfig file must be updated appropriately.

(I hereby release all rights I may have had on this snipplet.)

1 Like

I’m on microk8s v1.26.3 and it seems like sudo microk8s refresh-certs command doesn’t do the job anymore. You actually need to run sudo microk8s refresh-certs --cert server.crt for the server certificate to be updated. It would be nice to see the docs updated.

1 Like