Ask Your Question

Revision history [back]

Magnum with Kubernetes behind a firewall

I am trying Magnum on a Newton cluster behind a firewall. I have a proxy server.

magnum cluster-template-create --http-proxy http://myproxy:myport --https-proxy https://myproxy:myport --coe kubernetes ...
magnum cluster-create .....
ssh fedora@kubemaster-IP
sudo journalctl -u kubelet

I find this error in the log:

manager.go:1894] Failed to create pod infra container: ErrImagePull; Skipping pod "kube-proxy-10.0.0.9_kube-system(04083247da2cb47383b8c7432da69cd0

and

pod_workers.go:125] Error syncing pod 04083247da2cb47383b8c7432da69cd0, skipping: failed to "StartContainer" for "POD" with ErrImagePull: "image pull failed for gcr.io/google_containers/pause:2.0, this may be because there are no credentials on this request.  details: (unable to ping registry endpoint https://gcr.io/v0/\nv2 ping attempt failed with error: Get https://gcr.io/v2/: x509: certificate has expired or is not yet valid\n v1 ping attempt failed with error: Get https://gcr.io/v1/_ping: x509: certificate has expired or is not yet valid)"

After which the cluster is unusable, since it can't even set up the fundamental containers.

What puzzles me: I don't see the http-proxy environment variables anywhere on the kube-master. Not in /etc/environment, not in /etc/kubernetes. And I don't know where else to look. When I set http-proxy, I can curl http://gcr.io/google_containers/pause:2.0 without problems.

If it's really a certificate problem, I don't know where to start either.

Where should I check?