Skip to main content
  1. Posts/

[K3s-02] How to Access K3s cluster with kubectl from outside

·275 words
Table of Contents

Problem: Remote kubectl x509: certificate is valid for
kubectl is the most well known command-line tool to access Kubernetes cluster API server. It is not only for executing inside the kubernetes nodes. It must be possible for developers and operators use kubectl from outside of the cluster also. However, just copying kubeconfig file from /etc/rancher/k3s/k3s.yaml is not enough. It will cause the above error.

kubectl is a client tool to access Kubernetes API server. It uses TLS certificate to authenticate itself to the API server. The certificate is issued by the API server itself. The certificate is valid only for the IP address that is signed. In default the kubeconfig certificate is sigend with the host IP address So, the kubectl command is only valid inside the kubernetes node. To make it happen, we need to issue a new certificate with the IP address of the kubernetes control plane (Only editing the IP address in kubeconfig file is not enough).

For example, k3s control plane IP address is
Edit /etc/systemd/system/k3s.service

# /etc/systemd/system/k3s.service

ExecStart=/usr/local/bin/k3s \
    server \
       '–advertise-address=' \
       '-tls-san=' \  ## this is important
# Then, restart k3s service
sudo k3s kubectl -n kube-system delete secrets/k3s-serving
sudo mv /var/lib/rancher/k3s/server/tls/dynamic-cert.json /tmp/dynamic-cert.json

sudo systemctl daemon-reload
sudo systemctl restart k3s

Then, new kubeconfig file is located at /etc/rancher/k3s/k3s.yaml. Using this kubeconfig will be able to access k3s API server from the outside.

# Example kubeconfig file
apiVersion: v1
- cluster:
    certificate-authority-data: XXX
  name: default
- context:
    cluster: default
    user: default
  name: default
current-context: default
kind: Config
preferences: {}
- name: default
    client-certificate-data: XXX
    client-key-data: XXX

Reference #