In my /root/.kube/config I have a server: value of "https://my.reverse.proxy:6443".
If I don't set any certificates on the reverse proxy (traffic goes directly to backend and backend certificate is presented, SSL passthrough), I can run a kubectl command successfully (i.e sudo kubectl get pods -o wide -A). But if I set a certificate on the reverse proxy, my kubectl command returns:
$ sudo kubectl --insecure-skip-tls-verify get pods -o wide -A
error: You must be logged in to the server (Unauthorized)I am not sure why this is happening. Is it because the kubectl is trying to "authenticate" with the reverse proxy certificate, and is only allowed to do so with the back-end certificate?
How would I get rid of that error if I want to use a different certificate on the reverse proxy (no SSL passthrough)? What should I do on the client side?
If the issue started after renewing kubernetes certificates, this caused the existing ~/.kube/config to have outdated keys and certificate values in it.
The solution is to replace the values client-certificate-data and client-key-data in file ~/.kube/config with the values from the updated file in /etc/kubernetes/kubelet.conf of the same name
The problem was that the client certificate was stripped by the reverse proxy (the reverse proxy certificate was sent to the Kubernetes server instead), and as a result didn't make it to the Kubernetes server. I need passthrough on my reverse proxy no matter what if I want my client certificates to authenticate properly.