Kubernetes aggregation certificates – apiserver client authentication allowed names

Definitions I’m using in this question:

  • Main apiserver: the core kube-apiserver
  • Extension apiserver: an addon like metrics-server

I am reading through the configure aggregation layer guide and I don’t understand the main apiserver’s use of --requestheader-allowed-names. In section Kubernetes Apiserver Client Authentication it says:

The connection must be made using a client certificate whose CN is one of those listed in –requestheader-allowed-names. Note: You can set this option to blank as –requestheader-allowed-names=””. This will indicate to an extension apiserver that any CN is acceptable.

It makes it sound like the main apiserver is responsible for setting this. Surely the extension apiserver would be in control of this and determine what is acceptable? Why configure this on the main apiserver at all? I.e. The client certificate common names are what they are and it’s up to the extension apiserver to accept/reject these?

Or is that doc section mixing options that are passed to both the main and extension apiservers?

kubeadm init creating apiserver container with no network

I’m installing kubernetes 1.13 on Centos 7.6.1810 using these instructions:

https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/

And these instructions: https://www.linuxtechi.com/install-kubernetes-1-7-centos7-rhel7/

And these instructions: https://www.howtoforge.com/tutorial/centos-kubernetes-docker-cluster/

And a few others. You get the idea. It should be simple.

Regardless of what I do, it results in the containers that run the apiserver, controller, scheduler, etc. running in containers that have no network attached to them.

# docker inspect somecontainerid  ...    "NetworkSettings": {        "Bridge": "",        "SandboxID": "",        "HairpinMode": false,        "LinkLocalIPv6Address": "",        "LinkLocalIPv6PrefixLen": 0,        "Ports": {},        "SandboxKey": "",        "SecondaryIPAddresses": null,        "SecondaryIPv6Addresses": null,        "EndpointID": "",        "Gateway": "",        "GlobalIPv6Address": "",        "GlobalIPv6PrefixLen": 0,        "IPAddress": "",        "IPPrefixLen": 0,        "IPv6Gateway": "",        "MacAddress": "",        "Networks": {}    } ... 

This makes it impossible for me to do things like set ip a CNI plugin.

# kubectl apply -f kube-flannel.yml unable to recognize "kube-flannel.yml": Get http://localhost:8080/api?timeout=32s: dial tcp [::1]:8080: connect: connection refused 

Is there a step in between that I’m missing?