Kubernetes, Changing Server of Kops Cluster

12/30/2019

I have a kubernetes cluster setup on AWS using kops.

Right now, the server url is https://old-server-url.com. This url is configured on Route53 pointing to public ip of master instance of cluster.

I want to change this to https://new-server-url.com. I configured new url on Route53 same with master IP. But it just opens the kubernetes dashboard with new URL. I can't access kubernetes server via kubectl with this url.

This is the error I get when changing the kubeconfig file with new url and running kubectl get pods command.

"Unable to connect to the server: x509: certificate is valid for internal.old-server-url.com, old-server-url.com, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, not new-server-url.com"

What configuration do I have to change so that only the server of kubernetes cluster is changed, and I can access it via kube config/ kubectl?

Update: I can access my cluster after using --insecure-skip-tls-verify flag along the kubectl command. But this is insecure. I would like to know how can I change my certficates in a kops provisioned cluster with minimal effects for this scenario.

-- rahim
amazon-ec2
amazon-route53
amazon-web-services
kops
kubernetes

2 Answers

12/30/2019

Kubectl uses a kubeconfig file.In that file you need to change the API server url from old url to the new url.

Edit:

The impact of changing the url is that you need to regenerate kube-apiserver certificate with the new url as 'host', otherwise kubectl will fail with a certificate validation error.

That happens because kubectl validates the server's certificate presented by kube-apiserver upon calling k8s API server

To regenerate the kube apiserver certs in the master nodes using kubeadm (kops internally uses kubeadm) you can run below command:

rm /etc/kubernetes/pki/apiserver.*
kubeadm init phase certs all --apiserver-cert-extra-sans=https://new-server-url.com
docker rm -f `docker ps -q -f 'name=k8s_kube-apiserver*'`
systemctl restart kubelet

Default SANs are kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, 10.96.0.1, 127.0.0.1

Official docs

-- Arghya Sadhu
Source: StackOverflow

12/30/2019

To just resolve the error:

"Unable to connect to the server: x509: certificate is valid for internal.old-server-url.com, old-server-url.com, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, not new-server-url.com"

You can use the --insecure-skip-tls-verify flag with kubectl command as explained here: Invalid x509 certificate for kubernetes master

This is not recommended for production environments.

-- Muhammad Abdul Raheem
Source: StackOverflow