After the author configured the k8s cluster, I excitedly sent it to a colleague working remotely for testing. The colleague connected to my server through VPN, and then executed the kubectl command through the server. As a result, the error in the title appeared. The reason is that when accessing through a VPN, the address of the server is not the original intranet address, so it needs to be authorized for the VPN address. The authorization process is as follows
View apiserver certificate
openssl x509 -noout -text -in apiserver.crt|grep DNS
DNS:debian-1, DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster.local, IP Address:10.96.0.1, IP Address:192.168.1.195
The required ip address is not present in the certificate
Delete the old apiserver certificate
cd /etc/kubernetes/pki
rm apiserver.*
Generate a new apiserver certificate
kubeadm init phase certs apiserver --apiserver-advertise-address ${apiserver-ip1} --apiserver-cert-extra-sans ${apiserver-ip2} --apiserver-cert-extra-sans ${apiserver-ip3}
In the above command, ${apiserver-ip1} ${apiserver-ip2} ${apiserver-ip3} should be adjusted according to the actual situation of your own cluster. If you need to add more addresses, you can continue to add the --apiserver-cert-extra-sans ${apiserver-ip} parameter in the command.
At this point, you can see that a new apiserver certificate has been generated.
ls apiserver.*
apiserver.crt apiserver.key
restart apiserver
$ docker ps|grep apiserver
c6947d3f08cb b6d7abedde39 "kube-apiserver --ad…" 3 days ago Up 42 minutes k8s_kube-apiserver_kube-apiserver-debian-1_kube-system_8c9ab1ead009c3ba3cbb640306555281_12
3d6e28c76425 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 3 days ago Up 42 minutes k8s_POD_kube-apiserver-debian-1_kube-system_8c9ab1ead009c3ba3cbb640306555281_1
$ docker restart c6947d3f08cb 3d6e28c76425
c6947d3f08cb
3d6e28c76425
examine
$ kubectl cluster-info
Kubernetes control plane is running at https://192.168.1.195:6443
CoreDNS is running at https://192.168.1.195:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
Finish