kubectl unable to connect to server: x509: certificate signed by unknown authority

ssl kubernetes kubectl

i'm getting an error when running kubectl one one machine (windows)

the k8s cluster is running on CentOs 7 kubernetes cluster 1.7 master, worker

Here's my .kube\config

  
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: REDACTED
    server: https://10.10.12.7:6443
  name: kubernetes
contexts:
- context:
    cluster: kubernetes
    user: system:node:localhost.localdomain
  name: system:node:localhost.localdomain@kubernetes
current-context: system:node:localhost.localdomain@kubernetes
kind: Config
preferences: {}
users:
- name: system:node:localhost.localdomain
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED

the cluster is built using kubeadm with the default certificates on the pki directory

kubectl unable to connect to server: x509: certificate signed by unknown authority


One more solution in case it helps anyone:

My scenario:

  • using Windows 10
  • Kubernetes installed via Docker Desktop ui 2.1.0.1
  • the installer created config file at ~/.kube/config
  • the value in ~/.kube/config for server is https://kubernetes.docker.internal:6443
  • using proxy

Issue: kubectl commands to this endpoint were going through the proxy, I figured it out after running kubectl --insecure-skip-tls-verify cluster-info dump which displayed the proxy html error page.

Fix: just making sure that this URL doesn't go through the proxy, in my case in bash I used export no_proxy=$no_proxy,*.docker.internal


Run: 

gcloud container clusters get-credentials standard-cluster-1 --zone us-central1-a --project devops1-218400

here devops1-218400 is my project name. Replace it with your project name.


So kubectl doesn't trust the cluster, because for whatever reason the configuration has been messed up (mine included). To fix this, you can use openssl to extract the certificate from the cluster

openssl.exe s_client -showcerts -connect IP:PORT

IP:PORT should be what in your config is written after server:

Copy paste stuff starting from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (these lines included) into a new text file, say... myCert.crt If there are multiple entries, copy all of them.

Now go to .kube\config and instead of

certificate-authority-data: <wrongEncodedPublicKey>`

put

certificate-authority: myCert.crt

(it assumes you put myCert.crt in the same folder as the config file) If you made the cert correctly it will trust the cluster (tried renaming the file and it no longer trusted afterwards). I wish I knew what encoding certificate-authority-data uses, but after a few hours of googling I resorted to this solution, and looking back I think it's more elegant anyway.

Related

Learning about low-level graphics programming
What is FLOP/s and is it a good measure of performance?
Add 'Watermark' to images with php [closed]
jQuery - keydown / keypress /keyup ENTERKEY detection?
Adding an INDEX to a CTE
What is the proper way to detect if code is running on the main thread in Objective-C? (iOS) [duplicate]
Aggregate Function on Uniqueidentifier (GUID)
Interface type cannot be statically allocated?
How to map "jj" to Esc in emacs Evil mode
content type for mp3 download response
How do I set the default schema for a user in MySQL
HTML <pre> tag values get horizontal scroll bars,how to format it?