Unauthorized issues when adding new kubernetes master

1/9/2019

I am trying to add new master , and I copy cert and keys i.e. /etc/kubernetes/pki/apiserver-kubelet-client.crt from current master to a new one. I noticed that after I do 'kubeadm init --config=config.yaml' this key (probably all of them) is changing (kubeadm init itself is successful).. Why is this happening and could it be a root cause of my new master being in NotReady status ?

systemctl status kubelet shows a lot of *Failed to list v1.Node: Unauthorized, *Failed to list v1.Secret: Unauthorized..

docker@R90HE73F:~$ kubectl get nodes
NAME STATUS ROLES AGE VERSION

k8s-master-0 Ready master 7d1h v1.13.1

k8s-master-1 Ready master 7d v1.13.1

k8s-master-2 NotReady master 104m v1.13.1

k8s-worker-0 Ready <none> 7d v1.13.1

k8s-worker-1 Ready <none> 7d v1.13.1

k8s-worker-2 Ready <none> 7d v1.13.1

Btw etcd cluster is healthy

-- irom
high-availability
kubernetes

1 Answer

1/10/2019

To add a new master to kubernetes cluster, you need to copy four files from your existing kubernetes master certificate directory before doing kubeadm init on new master. Those files are ca.crt, ca.key, sa.pub, sa.key and copy these files to /etc/kubernetes/pki folder on new master. If you don't copy the sa* files your kubernetes master will be into NotReady state and will have those errors.

For more information on how to setup kubernetes multi master, please check out my blog on kubernetes high availability:

https://velotio.com/blog/2018/6/15/kubernetes-high-availability-kubeadm

-- Prafull Ladha
Source: StackOverflow