Cluster Information:
Kubernetes Version: 1.24
Environment: On-Premises
Installation Method: kubeadm scripts
Host OS: Red Hat Enterprise Linux 8.10
CNI and Version: 1.41
CRI and Version: 1.7.16
Issue Description:
My Kubernetes 1.24 cluster is set up on an on-premises Red Hat machine (v8.10) using kubeadm certificates. I am now attempting to manually generate kubeadm certificates with DNS support (e.g., apiserver.dev.kubernetes.com, etcd, kubelet, etc.).
Steps Taken:
Created a single CSR (Certificate Signing Request) for all control plane components using a custom multi-component_cs.config file. This file includes DNS details for both master and worker nodes.
Received the .crt and .key files after signing the CSR.
Backed up the existing certificates.
Replaced the original certificates with the newly generated .crt and .key files for the following components:
etcd
apiserver
controller-manager
scheduler
kubelet
kube-proxy
Note:
The original setup had separate certificates for each component. I have now replaced them with a single .crt and .key for all components.
Issue Encountered:
After updating the certificates in /etc/kubernetes/pki and restarting the kubelet, the kubelet fails to start with the following error:
**Attempting to register node=“10.x.x.x” **
Unable to register the node with the API server: err=unauthorized
It seems the kubelet is unable to authenticate with the API server after the certificate replacement.
Help Needed:
Is using a single .crt and .key for all components (instead of individual certificates) a valid approach?
How can I validate that the new certificates are correctly set up for kubelet authentication?
What steps can I take to troubleshoot and resolve the unauthorized error?