Unable to authenticate kubernetes cluster with the certificate-authority

Question

I have a kubeadm cluster. I modified the .kube/config file by exporting out hardcoded certificate-authority-data value (the base64 of ca certificate) to another file called ca.b64.crt. I modified also the client-certificate and client-key by having their values in another files in the disk.

So the result .kube/config file is:

apiVersion: v1
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/pki/ca.b64.crt
    server: https://172.31.127.100:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: kubernetes-admin
  name: kubernetes-admin@kubernetes
current-context: kubernetes-admin@kubernetes
kind: Config
preferences: {}
users:
- name: kubernetes-admin
  user:
    client-certificate: /etc/kubernetes/pki/admins/admin.b64.crt
    client-key: /etc/kubernetes/pki/admins/admin.b64.key

The problem is that whenever I try to use kubectl (e.g to get pods), I got:

xxxx:~$ k get po
error: unable to load root certificates: unable to parse bytes as PEM block

Any ideas?

Just reload the cluster, it will fix your issue. – Bhatasana Prashant Jun 01 '23 at 05:33 — Bhatasana Prashant, Jun 01 '23 at 05:33

Sai Chandini Routhu · Answer 1 · 2023-06-01T05:58:48.977

Below troubleshooting steps will help you resolve issues related to the format or content of the certificate files

1.Check to see if the certificate files are at the expected locations.

2.Check that the certificate and key files are in the correct format, particularly PEM.

3.Check that the certificate and key files are read-only for the user using the 'kubectl' command.

4.Try with enhanced privileges like ‘sudo kubectl'.

Refer to the doc Introduction to TLS written by Mumshad Mannambeth for more information.

The error “Unable to load root certificate” seems like if we paste the cert from a browser.It is most likely that we may miss the CR and LF characters by not reading/loading the cert file.

you can use something like https://www.base64encode.org/. Simply insert the PEM data and encode!

score 0 · Answer 2 · answered Jun 01 '23 at 07:20

0

I found out the issue. certificate-authority-data uses base64 string of the crt or key while certificate-authority uses the crt or key files (without being base64)

answered Jun 01 '23 at 07:20

Khaled

345
5
14

Unable to authenticate kubernetes cluster with the certificate-authority

2 Answers2