Re: ACI with Kubernetes needs a fix(Ansible version and Docker cert)

tipkopf · ‎07-10-2019

Team,

with Kubernetes 1.15 the lab does not work anymore:

_kube-system(10388e5ca072958c4f33ec2488d20b33)" with CreatePodSandboxError: "CreatePodSandbox for pod \"etcd-sbx20kube01.localdomain_kube-system(10388e5ca072958c4f33ec2488d20b33)\" failed: rpc error: code = 2 desc = failed pulling image \"gcr.io/google_containers/pause-amd64:3.0\": x509: certificate signed by unknown authority"

I tried with specifying 1.14.3 that worked for me a month ago to no avail. This is step #8 https://developer.cisco.com/learning/tracks/acik8s/acik8s-setup/acik8s-install/step/8

running a playbook succeeds only up to 'network':

./auto_deploy.sh POD_NUM POD_PASS network

next step 'k8' won't work. Also ansible 2.8 is no good, for the playbooks in the lab 2.6.4 is a must:

sudo ~/sbx_acik8s/venv/bin/pip install ansible==2.6.4

tipkopf · ‎07-11-2019

cisco Umbrella skewed the TLS checks:

[developer@sbx20kube01 ~]$ echo | openssl s_client -connect storage.googleapis.com:443   | egrep "^subject=|^issuer="                     
depth=3 O = Cisco, CN = Cisco Umbrella Root CA
verify return:1
depth=2 C = US, ST = California, L = San Francisco, O = Cisco, CN = Cisco Umbrella Primary SubCA
verify return:1
depth=1 O = Cisco, CN = Cisco Umbrella Secondary SubCA pao-SG
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "OpenDNS, Inc.", CN = *.opendns.com
verify return:1
DONE
subject=/C=US/ST=California/L=San Francisco/O=OpenDNS, Inc./CN=*.opendns.com
issuer=/O=Cisco/CN=Cisco Umbrella Secondary SubCA pao-SG