Accessing microk8s API for cluster behind router

General Discussions microk8s
1

I have a microk8s cluster composed of several Raspberry Pi 4, behind a Linksys router.

My computer and the cluster router are connected on my ISP router, and are respectively 192.168.0.10 & 192.168.0.2.
The cluster’s subnet is composed of the following :

  • router : 192.168.1.10
  • microk8s master : 192.168.1.100 (fixed IP)
  • microk8s workers : 192.168.1.10X (via DHCP).

I can ssh from my computer to the master via a port forwarding 192.168.0.2:22 > 192.168.1.100:22

I can nmap the cluster via a port forwarding 192.168.0.2:16443 > 192.168.1.100:16443 (16443 being the API port for microk3s)

But I can’t call the k8s API :

kubectl cluster-info

returns

Unable to connect to the server: x509: certificate is valid for 127.0.0.1, 10.152.183.1, 192.168.1.100, fc00::16d, fc00::dea6:32ff:fecc:a007, not 192.168.0.2

I’ve tried using the --insecure-skip-tls-verify, but :

error: You must be logged in to the server (Unauthorized)

My local (laptop) config is the following :

> kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.0.2:16443
  name: default
contexts:
- context:
    cluster: default
    user: default
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: default
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

I’d say I’d like to add 192.168.0.2 to the certificate, but all the answers I can find online refer to the --insecure-skip-tls-verify flag.

Can you help please ?

2

On the main node (i.e. 192.168.1.100) and go to the file /var/snap/microk8s/current/certs/csr.conf.template

Add another IP.99 just before the #MOREIPS.
You will need to get the new kubeconfig again.

Btw i don’t recommend using dhcp on any kubernetes nodes.

3

Thanks for your reply @balchua1 !

  • I’ve added IP.99 = 192.168.0.2 in the [ alt_names ] section from /var/snap/microk8s/current/certs/csr.conf.template.
  • I’ve stopped and restart microk3s, and refresh-certs
  • I’ve copied the keys from ~/kubeconfig from the master onto my local kubeconfig

I now have the following error.

Unable to connect to the server: x509: certificate signed by unknown authority

Trying with the --insecure-skip-tls-verify flag :

> kubectl cluster-info --insecure-skip-tls-verify

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
error: You must be logged in to the server (Unauthorized)
1 Like
4

hey @bromatofiel

I had the same error:
error: You must be logged in to the server (Unauthorized)

My problem was that when the certs were renewed, the updated file was /etc/kubernetes/admin.conf However, the /root/.kube/config file still had the client-certificate-data using an expired certificate.

Try doing:
cp -u /etc/kubernetes/admin.conf /root/.kube/config

if you are still facing this issue.