K
Q

Certificate error connecting to a Kubernet cluster behind a firewall

10/29/2019

I have a bare metal Kubernete cluster running behind a firewall. When trying to connect to it from my local machine (on the other side of the firewall) the connection do not work because the certificate is not correct.
The problem is the following. The cluster runs inside a network behind the firewall and the certificate was created using the master IP. But when I use this same certificate trying to connect from outside the internal network, I use a differente IP. At this point the error message appears, saying that the certificate is different from the address I am trying to connect.

The IP that I use to access the cluster is different from the actual cluster IP displayed here: enter image description here
How can I fix it? Is it possible to create another certificate with a different IP in my master node?

-- Rodolfo
kubeadm
kubernetes
kubernetes-dashboard

Similar Questions

Serve asset files in nginx using Kubernetes
Why does operator-courier verify complain about mismatched versions?
Using fluentd, I want to output only one key data from json data
Does Istio on GKE creates different service account for each service for mutual TLS
store tcpdump output in another POD - kubernetes
Spark on Kubernetes from jupyterhub not working with IRSA
Kubernetes Ambassador ingress docker image rpc timeout

1 Answer

10/29/2019

You can add new Subject Alternative Names (SANs) to your Kubernetes API server certificate with the following steps.

First need your kubeadm configuration file. This creates a file named kubeadm.yaml:

kubectl -n kube-system get configmap kubeadm-config -o jsonpath='{.data.ClusterConfiguration}' > kubeadm.yaml

Now open the file in an editor, and find the certSANs list under the apiServer section. If it does not exist, you’ll need to add it; if so, you’ll just add another entry to that list. Example:

apiServer:
  certSANs:
  - "172.29.50.162"
  - "k8s.domain.com"
  - "other-k8s.domain.net"
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s

Now move the old certificates to another folder, otherwise kubeadm will not recreate new ones:

mv /etc/kubernetes/pki/apiserver.{crt,key} ~

Use kubeadm to generate new apiserver certificates:

kubeadm init phase certs apiserver --config kubeadm.yaml

Now restart your kubeapiserver container:

  1. Run docker ps | grep kube-apiserver | grep -v pause to get the container ID for the container running the Kubernetes API server
  2. Run docker kill <containerID> to kill the container.
  3. The Kubelet will automatically restart the container, which will pick up the new certificate.

If everything is working as expected, don't forget to update the kubeadm ConfigMap stored in the cluster, otherwise, future kubeadm upgrade will be lacking your new config:

kubeadm config upload from-file --config kubeadm.yaml

This article has a more complete guide on how to Adding a Name to the Kubernetes API Server Certificate

-- Eduardo Baitello
Source: StackOverflow