Kubernetes Dashboard Installation giving x509: certificate signed by unknown authority error

Question

Trying to install kubernetes dashboard in Ubuntu 16.04 resulting in x509: certificate signed by unknown authority error.

Kubernetes cluster with a single node is running fine and deployments are happening too.

Tried enabling apiserver-host property in kubernetes-dashboard.yaml file without any lock.

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml Unable to connect to the server: x509: certificate signed by unknown authority

Any suggestions.

Output from kubectl get all -n kube-system

NAME                                         READY   STATUS    RESTARTS   AGE
pod/calico-node-6dgkc                        2/2     Running   4          4d23h
pod/calico-node-v8xjr                        2/2     Running   0          2d4h
pod/coredns-fb8b8dccf-8jznp                  1/1     Running   2          4d23h
pod/coredns-fb8b8dccf-pl87d                  1/1     Running   2          4d23h
pod/etcd-ets-kubernetes                      1/1     Running   2          4d23h
pod/kube-apiserver-ets-kubernetes            1/1     Running   2          4d23h
pod/kube-controller-manager-ets-kubernetes   1/1     Running   2          4d23h
pod/kube-proxy-24qjz                         1/1     Running   0          2d4h
pod/kube-proxy-ccqpn                         1/1     Running   2          4d23h
pod/kube-scheduler-ets-kubernetes            1/1     Running   2          4d23h

NAME                   TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                  AGE
service/calico-typha   ClusterIP   10.110.39.31   <none>        5473/TCP                 4d23h
service/kube-dns       ClusterIP   10.96.0.10     <none>        53/UDP,53/TCP,9153/TCP   4d23h
Error from server (Forbidden): replicationcontrollers is forbidden: User "system:node:ets-kubernetes" cannot list resource "replicationcontrollers" in API group "" in the namespace "kube-system"
Error from server (Forbidden): daemonsets.apps is forbidden: User "system:node:ets-kubernetes" cannot list resource "daemonsets" in API group "apps" in the namespace "kube-system"
Error from server (Forbidden): deployments.apps is forbidden: User "system:node:ets-kubernetes" cannot list resource "deployments" in API group "apps" in the namespace "kube-system"
Error from server (Forbidden): replicasets.apps is forbidden: User "system:node:ets-kubernetes" cannot list resource "replicasets" in API group "apps" in the namespace "kube-system"
Error from server (Forbidden): statefulsets.apps is forbidden: User "system:node:ets-kubernetes" cannot list resource "statefulsets" in API group "apps" in the namespace "kube-system"
Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "system:node:ets-kubernetes" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "kube-system"
Error from server (Forbidden): jobs.batch is forbidden: User "system:node:ets-kubernetes" cannot list resource "jobs" in API group "batch" in the namespace "kube-system"
Error from server (Forbidden): cronjobs.batch is forbidden: User "system:node:ets-kubernetes" cannot list resource "cronjobs" in API group "batch" in the namespace "kube-system"

Output from kubectl get nodes

NAME             STATUS   ROLES    AGE     VERSION
ets-kubernetes   Ready    master   4d23h   v1.14.1
ets-node         Ready    <none>   2d4h    v1.14.1

Kubectl output.PNG

Certificate Error.PNG

score 1 · Answer 1 · answered Apr 23 '22 at 23:15

1

Had the same issue after resetting k8s to defaults while having kubectl proxy running.

Simply restarting kubectl proxy fixed the issue :)

answered Apr 23 '22 at 23:15

gxtaillon

1,016
1
19
33

clxoid · Answer 2 · 2019-05-15T09:12:46.217

0

It would be better if you would specify how did you deploy your cluster but, try to regenerate your cluster certificates. If you used kubeadm then from control plane node you can run

kubeadm alpha certs renew

For more info check this

EDIT according to update on original post:

According your updated output, as you can see from the events, somehow there are many lines like:

User "system:node:ets-kubernetes" cannot list resource .........

It means, above user doesn't have relevant role to do those actions on specified resources.

To fix this you have to create relevant Role and RoleBindings for this user. You can get more info from official Using RBAC Authorization documentation

edited May 15 '19 at 09:12

answered May 14 '19 at 11:22

clxoid

2,577
12
21

Yes, I deployed the cluster using kubeadm. I tried "kubeadm alpha certs renew all", however, the end result is still the same. – Nishant Kansal May 14 '19 at 12:12
was `renew` comand successfull? try to put outputs from `kubectl get all -n kube-system` and `kubectl get nodes` – clxoid May 14 '19 at 13:08
renew was successful. Added the desired output at the last in the original post. – Nishant Kansal May 15 '19 at 08:50
Started from scratch and this time installed Kubernetes cluster on CentOS 7...kubectl get all -n kube-system is not resulting in any error. However, on kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml, it is still giving Unable to connect to the server: x509: certificate signed by unknown authority. – Nishant Kansal May 16 '19 at 05:10
Also, "kube-dns" is named as "coredns" in the output of kubectl get pods --all-namespaces. Is this the problem. `kube-system coredns-fb8b8dccf-gr8j6 kube-system coredns-fb8b8dccf-zx7xt kube-system etcd-ets-kmaster.in.kronos.com kube-system kube-apiserver-ets-kmaster.in.kronos.com kube-system kube-controller-manager-ets-kmaster.in.kronos.com kube-system kube-proxy-zxzrc kube-system kube-scheduler-ets-kmaster.in.kronos.com` – Nishant Kansal May 16 '19 at 08:50
no, `kubeadm` use `coredns` as a dns solution for cluster by default. How do you deploy your kubernetes cluster? Do you follow some guide? What command did you use exactly (you can omit sensitive name)? – clxoid May 16 '19 at 09:23
I am following this article: https://www.linuxtechi.com/install-kubernetes-1-7-centos7-rhel7/ plus help from official Kubernetes documentation. – Nishant Kansal May 16 '19 at 09:52
Also, kubelet at the end is giving: failed to run Kubelet: failed to create kubelet: misconfiguration: kubelet cgroup driver: "cgroupfs" is different from docker cgroup driver: "systemd". I checked certain articles and it was pointed to this file: /etc/systemd/system/kubelet.service.d/10-kubeadm.conf. However, no such file is present in my kubernetes set-up. – Nishant Kansal May 16 '19 at 11:02
I just followed your guide, and everything just worked for me. After you are doing may be `kubeadm reset` and `kubeadm init` for resetting cluster, please don't forget to run `rm -rf ~/.kube && mkdir -p $HOME/.kube && cp -i /etc/kubernetes/admin.conf $HOME/.kube/config && chown $(id -u):$(id -g) $HOME/.kube/config` . – clxoid May 20 '19 at 16:24
Most of the issues are resolved except the original one: certificate error. Snapshots are attached: Certificate Error.PNG and Kubectl output.PNG – Nishant Kansal May 23 '19 at 12:43
what is happening if you try to deploy other deployment such as nginx? i. e. `kubectl create deployment nginx --image=nginx --v=8` – clxoid May 29 '19 at 08:55
deployment is ok. this error comes when I trying to install a dashboard. – Nishant Kansal Jun 03 '19 at 09:49

Kubernetes Dashboard Installation giving x509: certificate signed by unknown authority error

2 Answers2