To read secret from etcd in AKS using etcdctl throws Error: open /etc/kubernetes/pki/apiserver-etcd-client.crt: no such file or directory

Question

To read secret from etcd in AKS Cluster, Used below command

ETCDCTL_API=3 etcdctl --endpoints=<endpoint> --cert=/etc/kubernetes/pki/apiserver-etcd-client.crt --key=/etc/kubernetes/pki/apiserver-etcd-client.key get / --prefix --keys-only

Error: open /etc/kubernetes/pki/apiserver-etcd-client.crt: no such file or directory.

Where the certificates will be stored by default?

refered the doc https://docs.starlingx.io/security/kubernetes/etcd-certificates-c1fc943e4a9c.html for certification path.

Answer 1

It seems to me that you're having the wrong image about AKS (and Managed Kubernetes solutions in general).

Basically:

• Managed Kubernetes solutions (like AKS, GKE EKS) are having some of the cluster components abstracted from the user (meaning you won't be able to access them).
• Kubernetes clusters that are not managed by a cloud provider (like on-premise) are giving the user access to pretty much everything.

Above bullet points were only to narrow down the issue. There are a lot of differences between cloud-managed and self-managed solutions and I encourage you to check them out.

Example reference:

• Serverfault.com: What is the point of running self managed Kubernetes cluster

---

In short terms:

• You will not get the access to etcd on AKS.
• You won't find the etcd certificates on your VM or Azure Cloud Shell

Citing official Microsoft documentation:

Control plane

When you create an AKS cluster, a control plane is automatically created and configured. This control plane is provided at no cost as a managed Azure resource abstracted from the user. You only pay for the nodes attached to the AKS cluster. The control plane and its resources reside only on the region where you created the cluster.

The control plane includes the following core Kubernetes components:

Component	Description >
kube-apiserver	The API server is how the underlying Kubernetes APIs are exposed. This component provides the interaction for management tools, such as kubectl or the Kubernetes dashboard.
etcd	To maintain the state of your Kubernetes cluster and configuration, the highly available etcd is a key value store within Kubernetes.
kube-scheduler	When you create or scale applications, the Scheduler determines what nodes can run the workload and starts them.
kube-controller-manager	The Controller Manager oversees a number of smaller Controllers that perform actions such as replicating pods and handling node operations.

AKS provides a single-tenant control plane, with a dedicated API server, scheduler, etc. You define the number and size of the nodes, and the Azure platform configures the secure communication between the control plane and nodes. Interaction with the control plane occurs through Kubernetes APIs, such as kubectl or the Kubernetes dashboard.

While you don't need to configure components (like a highly available etcd store) with this managed control plane, you can't access the control plane directly. Kubernetes control plane and node upgrades are orchestrated through the Azure CLI or Azure portal. To troubleshoot possible issues, you can review the control plane logs through Azure Monitor logs.

To configure or directly access a control plane, deploy a self-managed Kubernetes cluster using Cluster API Provider Azure.

-- Docs.microsoft.com: Azure: AKS: Concepts clusters workloads: Control plane