Kubelet - x509: certificate is valid for 10.233.0.1 not for <IP>

1/22/2019

I've installed my kubernetes cluster (two nodes) with kubespray. Now I have added an third node. And I get the error from kubelet server on the new node:

Failed to list *v1.Service: Get https://94.130.25.248:6443/api/v1/services?limit=500&resourceVersion=0: x509: certificate is valid for 10.233.0.1, 94.130.25.247, 94.130.25.247, 10.233.0.1, 127.0.0.1, 94.130.25.247, 144.76.14.131, not 94.130.25.248

The IP 94.130.25.248 is the ip of new node.

I've found this post, where was wrote about recreating the apicert. But the new version of kubeadm (v1.13.1) don't have this option.

Also I've try to renew the certificates with command:

kubeadm alpha certs renew all --config /etc/kubernetes/kubeadm-config.yaml

This command regenerate the certificates, but with the same ips and dns.

My kubeadmin-config.yml (certSANs):

  certSANs:
  - kubernetes
  - kubernetes.default
  - kubernetes.default.svc
  - kubernetes.default.svc.cluster.local
  - 10.233.0.1
  - localhost
  - 127.0.0.1
  - heku1
  - heku4
  - heku2
  - 94.130.24.247
  - 144.76.14.131
  - 94.130.24.248

Can someone tell me how can I added the ip to apicert?

-- de1m
certificate
kubelet
kubernetes

1 Answer

1/22/2019

hm... I've removed the apiserver.* and apiserver-kubelet-client.* and recreated this with command:

kubeadm init phase certs apiserver --config=/etc/kubernetes/kubeadm-config.yaml
kubeadm init phase certs apiserver-kubelet-client --config=/etc/kubernetes/kubeadm-config.yaml
systemctl stop kubelet
delete the docker container with kubelet
systemctl restart kubelet
-- de1m
Source: StackOverflow