kubectl API server authentication error when connecting through apiserver load balancer #8282
Comments
|
/cc @champtar I'm not sure what would be the proper fix here, on the one hand generating per node certificates makes it cleaner but it also causes issues when |
|
Can we go back to the older way of creating apiserver crt/key on one control plane node and copying it on the rest of the nodes? I'm using below as a workaround for now:
Let me know if this helps. I can probably raise a PR with this. Thanks. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Environment:
Cloud provider or hardware configuration: On-prem baremetal nodes
OS (
printf "$(uname -srm)\n$(cat /etc/os-release)\n"): Ubuntu 20.04Version of Ansible (
ansible --version): 2.10.11Version of Python (
python --version): 3.8Kubespray version (commit) (
git rev-parse --short HEAD): release-2.17Network plugin used: calico
Full inventory with variables (
ansible -i inventory/sample/inventory.ini all -m debug -a "var=hostvars[inventory_hostname]"):Command used to invoke ansible:
Output of ansible run:
Anything else do we need to know:
ENV:
I have a ha k8s 1.21 cluster setup using kubespray + keepalived & nginx for api load balancing. I'm getting below intermittent error when connecting to the cluster using external LB
The issue:
$kubectl get nodes
Unable to connect to the server: x509: certificate signed by unknown authority
Root cause:
This is happening because all 3 apiservers have different apiserver.crt. kubeconfig has field certificate-authority-data which is encoded apiserver.crt from one of the nodes. when the load balancer sends the request to any other apiserver, the request fails.
Earlier kubespray used to have the same apiserver certificates on all control plane nodes. This used to work as expected before PR.
Fix:
I was able to fix the issue by copying the same apiserver.{crt,key} to all 3 control plane nodes.
The text was updated successfully, but these errors were encountered: