Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

After certificates renewal, an error: "You must be logged in to the server (Unauthorized)"

Tags:

kubernetes

kubectl

kubeadm

My certificates were expired:

root@ubuntu:~# kubectl get pods
Unable to connect to the server: x509: certificate has expired or is not yet valid

I verified it by running:

root@ubuntu:~# kubeadm alpha certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -oyaml'
[check-expiration] Error reading configuration from the Cluster. Falling back to default configuration

W0330 09:18:49.875780   12562 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubepro                                                                                             xy.config.k8s.io]
CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 29, 2021 09:27 UTC   <invalid>                               no
apiserver                  Mar 29, 2021 09:27 UTC   <invalid>       ca                      no
apiserver-etcd-client      Mar 29, 2021 09:27 UTC   <invalid>       etcd-ca                 no
apiserver-kubelet-client   Mar 29, 2021 09:27 UTC   <invalid>       ca                      no
controller-manager.conf    Mar 29, 2021 09:27 UTC   <invalid>                               no
etcd-healthcheck-client    Mar 29, 2021 09:27 UTC   <invalid>       etcd-ca                 no
etcd-peer                  Mar 29, 2021 09:27 UTC   <invalid>       etcd-ca                 no
etcd-server                Mar 29, 2021 09:27 UTC   <invalid>       etcd-ca                 no
front-proxy-client         Mar 29, 2021 09:27 UTC   <invalid>       front-proxy-ca          no
scheduler.conf             Mar 29, 2021 09:27 UTC   <invalid>                               no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 27, 2030 09:27 UTC   8y              no
etcd-ca                 Mar 27, 2030 09:27 UTC   8y              no
front-proxy-ca          Mar 27, 2030 09:27 UTC   8y              no

I renew the certificates by running: kubeadm alpha certs renew all.

W0330 09:20:21.951839   13124 configset.go:202] WARNING: kubeadm cannot validate component configs for API groups [kubelet.config.k8s.io kubeproxy.config.k8s.io]
certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

All the certificates are now updated to 2022 so it should be okay:

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Mar 30, 2022 09:20 UTC   364d                                    no
apiserver                  Mar 30, 2022 09:20 UTC   364d            ca                      no
apiserver-etcd-client      Mar 30, 2022 09:20 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Mar 30, 2022 09:20 UTC   364d            ca                      no
controller-manager.conf    Mar 30, 2022 09:20 UTC   364d                                    no
etcd-healthcheck-client    Mar 30, 2022 09:20 UTC   364d            etcd-ca                 no
etcd-peer                  Mar 30, 2022 09:20 UTC   364d            etcd-ca                 no
etcd-server                Mar 30, 2022 09:20 UTC   364d            etcd-ca                 no
front-proxy-client         Mar 30, 2022 09:20 UTC   364d            front-proxy-ca          no
scheduler.conf             Mar 30, 2022 09:20 UTC   364d                                    no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Mar 27, 2030 09:27 UTC   8y              no
etcd-ca                 Mar 27, 2030 09:27 UTC   8y              no
front-proxy-ca          Mar 27, 2030 09:27 UTC   8y              no

But when I run kubectl get pods I received the error:

error: You must be logged in to the server (Unauthorized)

It should be a problem with the certificate I think, but I am not sure how to fix it. Should I create new certificate and replace the one that inside the config file?

like image 203
E235 Avatar asked Mar 30 '21 09:03

E235

People also ask

How do I renew my Kubernetes certificate?

You can renew your certificates manually at any time with the kubeadm certs renew command. This command performs the renewal using CA (or front-proxy-CA) certificate and key stored in /etc/kubernetes/pki . After running the command you should restart the control plane Pods.

How do you set current context in Kubectl?

What this says is that you can create or modify contexts in your kubeconfig file with the command kubectl config set-context. This command also accepts the name of the context to be changed (or --current if you want to change the current context), as well as --user, --cluster, and --namespace options.

1 Answers

The ~/.kube/config wasn't updated with the changes.

I ran:

mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config

and it fixed it.

like image 154
E235 Avatar answered Oct 22 '22 06:10

E235
Sign in to Comment

Related questions

How could targetPort be set with string value in kubernetes?
Exposing the hello-minikube service fails to find a port
How to configure a manually provisioned Azure Managed Disk to use as a Kubernetes persistent volume?
Does ClusterIP service distributes requests between replica pods?
GKE extended memory and Kubernetes memory allocatable
How can I specify the spring.profiles.active param with a value from an environment variable using fabric8 maven plugin?
Monitoring pod resource usage on Kubernetes nodes
Gitlab CI Pipeline: Cannot create pods in the namespace
Helm wait till dependency deployment are ready on kubernetes
Submit Spark Application on Kubernetes in Cluster mode : Configured service account doesn't have access
Configure Microk8s
Trying to pull/run docker images from docker hub on Minikube fails
How to patch container env variable in deployment with kubectl?
VPN access to in-house network not working after GKE cluster upgrade to 1.14.6
k8s hpa can't get the cpu information [closed]
How can I give grafana user appropriate permission so that it can start successfully?
kubernetes - Couldn't able to join master node - error execution phase preflight: couldn't validate the identity of the API Server
Why Ingress NGINX removes my response headers
How to debug Kubernetes nginx Ingress redirection from HTTP to HTTPS
Hashicorp vault - Client sent an HTTP request to an HTTPS server - Readiness Probes

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!