snippetkubernetesModerate
How can I add an additional IP / hostname to my Kubernetes certificate?
Viewed 0 times
certificatecanaddkuberneteshostnamehowadditional
Problem
I've recently followed this guide to set up Kubernetes on my local Raspberry Pi cluster. I can access it fine on my LAN; however I'd like to be able to access it remotely as well. I've already set up port forwarding on my router, but when I try to connect from outside the LAN, I get a x509 certificate error indicating that the certificate is signed for my local 192.168 address but not for my home's IP. I could bypass this with the
When I initially set things up with
To clarify, I don't have any certificate managers installed. I'm not talking about Ingress. I'm talking about the actual "root" certificate (for lack of a better term) that kubeadm generates when first installing the cluster, i.e. the one that lives at
--insecure-skip-tls-verify options but I'd much rather have the certificate used simply incorporate my IP address. Only... I'm not fully sure how to do that, though I do have some ideas.When I initially set things up with
kubeadm init, should I have used the --apiserver-advertise-address option to specify my home IP? Would doing so have had any adverse effects (such as precluding my local/192.168 IP?). Ideally I'd like the certificate to be signed for both the internal and external IPs. Or is there some other option I should have given to kubeadm init? Secondly, now that it has been initialized, is there any way to regenerate the certificate and swap it out, or will I need to nuke the cluster?To clarify, I don't have any certificate managers installed. I'm not talking about Ingress. I'm talking about the actual "root" certificate (for lack of a better term) that kubeadm generates when first installing the cluster, i.e. the one that lives at
/etc/kubernetes/pki/apiserver.crtSolution
To do this, you’ll first need your
Now open the file in an editor, and find the
Now move the old certificates to another folder, otherwise
Use
Now restart your kubeapiserver container:
container ID for the container running the Kubernetes API server
If everything is working as expected, don't forget to update the
If using Kubernetes = v1.15:
This article has a more complete guide on how to Adding a Name to the Kubernetes API Server Certificate
kubeadm configuration file. This creates a file named kubeadm.yaml:kubectl -n kube-system get configmap kubeadm-config -o jsonpath='{.data.ClusterConfiguration}' > kubeadm.yamlNow open the file in an editor, and find the
certSANs list under the apiServer section. If it does not exist, you’ll need to add it; if so, you’ll just add another entry to that list. Example:apiServer:
certSANs:
- "172.29.50.162"
- "k8s.domain.com"
- "other-k8s.domain.net"
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0sNow move the old certificates to another folder, otherwise
kubeadm will not recreate new ones:mv /etc/kubernetes/pki/apiserver.{crt,key} ~ Use
kubeadm to generate new apiserver certificates:kubeadm init phase certs apiserver --config kubeadm.yamlNow restart your kubeapiserver container:
- Run
docker ps | grep kube-apiserver | grep -v pauseto get the
container ID for the container running the Kubernetes API server
- Run
docker killto kill the container.
- The Kubelet will automatically restart the container, which will pick up the new certificate.
If everything is working as expected, don't forget to update the
kubeadm ConfigMap stored in the cluster, otherwise, future kubeadm upgrade will be lacking your new config:If using Kubernetes = v1.15:
kubeadm init phase upload-config kubeadm --config kubeadm.yamlThis article has a more complete guide on how to Adding a Name to the Kubernetes API Server Certificate
Code Snippets
apiServer:
certSANs:
- "172.29.50.162"
- "k8s.domain.com"
- "other-k8s.domain.net"
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0sContext
StackExchange DevOps Q#9483, answer score: 15
Revisions (0)
No revisions yet.