[K3s-02] How to Access K3s cluster with kubectl from outside
Table of Contents
Problem: Remote kubectl x509: certificate is valid for 127.0.0.1
kubectl is the most well known command-line tool to access Kubernetes cluster API server. It is not only for executing inside the kubernetes nodes. It must be possible for developers and operators use kubectl from outside of the cluster also. However, just copying kubeconfig file from /etc/rancher/k3s/k3s.yaml is not enough. It will cause the above error.
kubectl is a client tool to access Kubernetes API server. It uses TLS certificate to authenticate itself to the API server. The certificate is issued by the API server itself. The certificate is valid only for the IP address that is signed. In default the kubeconfig certificate is sigend with the host IP address 127.0.0.1. So, the kubectl command is only valid inside the kubernetes node. To make it happen, we need to issue a new certificate with the IP address of the kubernetes control plane (Only editing the IP address in kubeconfig file is not enough).
For example, k3s control plane IP address is 13.209.245.101.
Edit /etc/systemd/system/k3s.service
# /etc/systemd/system/k3s.service
ExecStart=/usr/local/bin/k3s \
server \
'–advertise-address=13.209.245.101' \
'-tls-san=13.209.245.101' \ ## this is important
# Then, restart k3s service
sudo k3s kubectl -n kube-system delete secrets/k3s-serving
sudo mv /var/lib/rancher/k3s/server/tls/dynamic-cert.json /tmp/dynamic-cert.json
sudo systemctl daemon-reload
sudo systemctl restart k3s
Then, new kubeconfig file is located at /etc/rancher/k3s/k3s.yaml. Using this kubeconfig will be able to access k3s API server from the outside.
# Example kubeconfig file
---
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: XXX
server: https://13.209.245.101:6443
name: default
contexts:
- context:
cluster: default
user: default
name: default
current-context: default
kind: Config
preferences: {}
users:
- name: default
user:
client-certificate-data: XXX
client-key-data: XXX