I am new to kubernetes and want to setup kubernetes HA setup after successfully completing examples with minikube and single master kubernetes cluster. I am using AWS EC2 instances and AWS application load balancer for this purpose. I dont want to use KOPS or any other tool for installation. I want to get hands on with kubeadm. I followed below steps
Now I am using kubeadm init
kubeadm init --pod-network-cidr=192.168.0.0/20
--service-cidr=192.168.16.0/20 --node-name=10.0.0.13 --control-plane-endpoint "master.k8sonaws.com:443" --upload-certs --v=8 --apiserver-bind-port=443 --apiserver-cert-extra-sans=master.k8sonaws.com,i-0836dd4dc6609a924This command is succeeding up-to upload-config phase. Health check endpoint is returning success but after that its failing in upload-config phase
configmaps is forbidden: User "system:anonymous" cannot create resource "configmaps" in API group "" in the namespace "kube-system"
Here I am not able to understand why kubeadm is passing anonymyous user for api call. How can I resolve this issue
I found solution to this problem after trying lot of different things for 2 days. Problem is aws load balancer does not pass client certificate to backend server when using https listener. And problem is Aws has not documented this fact or I did not get those document if they are there.
Way to solve this problem is using plane http listener using same port 443. So SSL termination is carried out by backened server. In my case this is not security threat since both my load balancer and backend servers are internal and not exposed to public ip.
The certificate in the kubeconfig file used to create the ConfigMap does not have right groups. I would say don't generate ca and cert for kubernetes yourself. Just use kubeadm init and kubeadm will handle the ca and cert generation. After your kubernetes cluster is up and running you can use the same ca to generate a cert yourself and use that in aws load balancer.