1

I have a microk8s cluster composed of several Raspberry Pi 4, behind a Linksys router.

My computer and the cluster router are connected on my ISP router, and are respectively 192.168.0.10 & 192.168.0.2. The cluster's subnet is composed of the following :

  • router : 192.168.1.10
  • microk8s master : 192.168.1.100 (fixed IP)
  • microk8s workers : 192.168.1.10X (via DHCP).

I can ssh from my computer to the master via a port forwarding 192.168.0.2:22 > 192.168.1.100:22

I can nmap the cluster via a port forwarding 192.168.0.2:16443 > 192.168.1.100:16443 (16443 being the API port for microk3s)

But I can't call the k8s API :

kubectl cluster-info

returns

Unable to connect to the server: x509: certificate is valid for 127.0.0.1, 10.152.183.1, 192.168.1.100, fc00::16d, fc00::dea6:32ff:fecc:a007, not 192.168.0.2

I've tried using the --insecure-skip-tls-verify, but :

error: You must be logged in to the server (Unauthorized)

My local (laptop) config is the following :

> kubectl config view
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://192.168.0.2:16443
  name: default
contexts:
- context:
    cluster: default
    user: default
  name: default
current-context: default
kind: Config
preferences: {}
users:
- name: default
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

I'd say I'd like to add 192.168.0.2 to the certificate, but all the answers I can find online refer to the --insecure-skip-tls-verify flag.

Can you help please ?

Ben
  • 56
  • 1
  • 6
  • Hello @Ben. Please try to add this IP to the certificate and see what happens. – Wytrzymały Wiktor Jun 02 '21 at 12:19
  • Hi @WytrzymałyWiktor, I've actually found some materials on K8s's community website, and here is the procedure I've followed : * I’ve added IP.99 = 192.168.0.2 in the [ alt_names ] section from `/var/snap/microk8s/current/certs/csr.conf.template` * I’ve stopped and restart microk3s, and `refresh-certs` * I’ve copied the keys from ~`/kubeconfig` from the master onto my local kubeconfig. And now I have the following error : ```sh Unable to connect to the server: x509: certificate signed by unknown authority ``` Is this what you mean 'Add this IP to the certificate' ? – Ben Jun 02 '21 at 15:50
  • According to the [official documentation here](https://microk8s.io/docs/services-and-ports) you can add `IP.X (where X is the next free number) = 192.168.0.2 in the [ alt_names ]` in `/var/snap/microk8s/current/certs/csr.conf.template`. After this, instead of copying keys `client-key-data` please: 1. [create new Kubeconfig file](https://microk8s.io/docs/working-with-kubectl) and test this file locally on the master node 2. copy the entire kubeconfig file from the master to local kubeconfig. – Mark Jun 04 '21 at 12:10

0 Answers0