0

kube-apiserver pod print following log:

authentication.go:104] Unable to authenticate the request due to an error: x509: certificate has expired or is not yet valid

I already renewed all certs renew certs

admin.conf copied to ~/.kube/config
I deleted kubelet.conf and files from /var/lib/kubelet/pki and then create new ones. After that kubelet was restarted. I also restarted apiserver pod but it still print log that certificate is expired.
Interesting thing is that all I don't see any problems with cluster. Kubectl works as always.
I use v1.17.6 version. My cluster has 2-master and 8-worker nodes. Any ideas?

RedBluff
  • 31
  • 1
  • 3
  • Kind of sound like one of your kubelet being unable to check in: are your nodes all OK/ready? Pick one pod running on each node: can you properly run "kubectl logs"? – SYN Jun 23 '22 at 18:41
  • .. wait... 2 masters? both with etcd? ... Out of topic .. but you should really go with 3 (right now, if one master goes down, your etcd is out of quorum: all API's down) – SYN Jun 23 '22 at 20:08
  • 1
    yes, I can run kubectl logs with success (pod logs from each node) – RedBluff Jun 24 '22 at 11:25

1 Answers1

0

I had the same issue. I restarted all 4 static Pod of cluster by temporary removing its manifest file from /etc/kubernetes/manifests/ and moved back after 20 seconds as the documentation says.

https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#manual-certificate-renewal

First i removed and moved back kube-apiserver.yaml, then kube-controller-manager.yaml, after that kube-scheduler.yaml and at last the etcd.yaml.

I don't know if it works even if you delete and move them back all at once.

akosisti
  • 1