Failing to execute kubectl after coyping kubelet.conf from /etc/kubernetes to $home on worker nodes

Regional Discussions
,
1

Setup: Three virtual machine, with one master and two worker nodes running locally on my computer. I created the cluster via kubeadm. The master is using containerd as CRI and the worker nodes are using cri-dockerd. The worked are joined to master without any problems and show up as “Ready”.

Problem: On each of my worker nodes, there is a /etc/kubernetes/kubelet.conf and /etc/kubernetes/pki/ca.crt. I copied the entire /etc/kubernetes folder to $HOME, renamed the kubelet.conf to config and chown’ed it. I’m trying to run kubectl on my worker nodes but I can’t get it running.

two@node2:~$ kubectl version
Error in configuration:
* unable to read client-cert /var/lib/kubelet/pki/kubelet-client-current.pem for default-auth due to open /var/lib/kubelet/pki/kubelet-client-current.pem: permission denied
* unable to read client-key /var/lib/kubelet/pki/kubelet-client-current.pem for default-auth due to open /var/lib/kubelet/pki/kubelet-client-current.pem: permission denied

Executing this via sudo does not help either. It completely ignores the $HOME config.

two@node2:~$ sudo kubectl version
Client Version: v1.29.0
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
The connection to the server localhost:8080 was refused - did you specify the right host or port?
2

it isn’t kubelet.conf, it is admin.conf that is used for kubectl

[16:01 krc@alma8-controller ~]$ sudo cp -v /etc/kubernetes/admin.conf ~/.kube/config
'/etc/kubernetes/admin.conf' -> '/home/krc/.kube/config'
[16:01 krc@alma8-controller ~]$ sudo chown krc.krc .kube/config

the admin.config file should have the cert and key embedded in it, so crt/pem files shouldn’t be needed.

3

Hi @Ailuridae! The admin.conf is only present on master node at /etc/kubernetes/admin.conf. I did notice this file on master but I did not copy it because it authenticated kubectl with “kubernetes-admin” role which would be more permissions then necessary for a worker node. I only wanted to have a very minimal set of permissions (get/view nodes, ns…etc.)