K
Q

Unauthorized error when joining existing cluster using kubeadm join command

9/16/2020

I have a couple of Raspberry Pis which I am trying to use to set up a Kubernetes cluster for learning purposes.

I've set up a control-plane on a master node successfully. However, when I try to join a worker node to the cluster I get "timed out waiting for the condition / error uploading crisocket" message.

Here is my join command (as printed by the master node):

kubeadm join 192.168.0.4:6443 --token rbebts.cj9zl03jor3nt09m     --discovery-token-ca-cert-hash sha256:dfd705812b44887726abbdc7e91187c76a407498c1d1b73ebc1aa81c9486848c

I tried running it with -v9 option and I see that it is successfully fetching cluster configMap using the provided token (which tells me that the token I use is valid and it is not the root cause of the problem): 

I0916 13:44:44.248364    9187 round_trippers.go:423] curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: kubeadm/v1.19.1 (linux/arm) kubernetes/206bcad" -H "Authorization: Bearer rbebts.cj9zl03jor3nt09m" 'https://192.168.0.4:6443/api/v1/namespaces/kube-system/configmaps/kube-proxy?timeout=10s'
I0916 13:44:44.256611    9187 round_trippers.go:443] GET https://192.168.0.4:6443/api/v1/namespaces/kube-system/configmaps/kube-proxy?timeout=10s 200 OK in 8 milliseconds

However, further I see a lot of authorization failures:

I0916 13:44:53.146479    9187 round_trippers.go:443] GET https://192.168.0.4:6443/api/v1/nodes/node-1?timeout=10s 401 Unauthorized in 8 milliseconds
I0916 13:44:53.146559    9187 round_trippers.go:449] Response Headers:
I0916 13:44:53.146618    9187 round_trippers.go:452]     Cache-Control: no-cache, private
I0916 13:44:53.146675    9187 round_trippers.go:452]     Content-Type: application/json
I0916 13:44:53.146729    9187 round_trippers.go:452]     Content-Length: 129
I0916 13:44:53.146782    9187 round_trippers.go:452]     Date: Wed, 16 Sep 2020 17:44:53 GMT
I0916 13:44:53.147654    9187 request.go:1097] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
I0916 13:44:53.637836    9187 round_trippers.go:423] curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: kubeadm/v1.19.1 (linux/arm) kubernetes/206bcad" 'https://192.168.0.4:6443/api/v1/nodes/node-1?timeout=10s'

Looking at the curl command I see that Bearer token is missing (which could explain 401 responses).

I've just started learning about Kubernetes and I am not sure if I am doing something wrong here and how to resolve this.

Some info about my setup:

kubeadm version: &version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.1", GitCommit:"206bcadf021e76c27513500ca24182692aabd17e", GitTreeState:"clean", BuildDate:"2020-09-09T11:24:31Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/arm"}


docker 18.09.1

Raspbian GNU/Linux 10 (buster)
-- irahavoi
kubeadm
kubernetes
raspbian

Similar Questions

“kube-ingress-aws-controller” with “skipper” ingress deployed on a Kops cluster not routing properly
How to mandate all pods in namespace to be marked with label key=value upon creation
Kubernetes ingress "an error on the server ("") has prevented the request from succeeding"
Access istio/k8s service via HTTPS
Still finding the need to use virtualenv in Docker/k8s/Skaffold dev environment to run commands

1 Answer

9/17/2020

Try to enable --v=10 for "join" and observe the API call failures.
this might give a better indication of what is going on.

Also you can execute kubeadm reset command. kubeadm reset is responsible for cleaning up a node local file system from files that were created using the kubeadm init or kubeadm join commands. For control-plane nodes reset also removes the local stacked etcd member of this node from the etcd cluster and also removes this node's information from the kubeadm ClusterStatus object. ClusterStatus is a kubeadm managed Kubernetes API object that holds a list of kube-apiserver endpoints.

Take a look: kubeadm-join, kubeadm-reset-issue.

-- Malgorzata
Source: StackOverflow