Access microk8s within a multipass VM


I have a server, within a datacenter, which is supposed to host multiple microk8s clusters.
I’m currently building up the first one.
So here how it goes:

My PC is on subnet. The office has a VPN to the Datacenter, my server is on the subnet there. All traffic is permitted back and forth through the VPN.
Multipass created the subnet for my VMs. I have set up 3 multipass VMs : 1 master node, and 2 worker nodes, so far.

Thing is, once I get the microk8s config and paste it up on my PC (, it does not reach the cluster. Quite normal! the config is set up to reach subnet, and the IP of the master node, which my PC know nothing about (and will never will, since we cannot operate on my office nor the datacenter routers).

So, I tried several things:

1- Set up a nginx proxy on the host ( et reroute all traffic coming on 16443 port to the master node VM on this very same port (the microk8s API port from the config)
→ It doesn’t work because the certificate on the nginx proxy doesn’t match the one expected by the API

2- create PREROUTING and FORWARD iptables rules to redirect all 16443 traffic coming on the host to the master node IP
→ it doesn’t work because : Failed to get crds: Kubectl command failed: Unable to connect to the server: x509: certificate is valid for,, not

What should I try next? Is it possible to add another valid IP to the list quoted by the cluster?

Best Regards,

You can add other IPs or DNS to /var/snap/microk8s/current/certs/csr.conf.template
This will generate a new certs automatically if you are on a single node microk8s.
But if you are on multi node, you have to rename this file /var/snap/microk8s/current/var/lock/no-cert-reissue to something else, wait for a few seconds then check the file /var/snap/microk8s/current/certs/csr.conf
You should see the IPs and DNS added. Once its added put back the file no-cert-reissue.
Then you can now access your apiserver.
You have to do this on all nodes though.

1 Like

It did the trick, thank you!