How to run remote code as user with certificate from a worker node

Question

I created a user in the Master.
First I created a key and certificate for him: dan.key and dan.crt

Then I created it inside Kubernetes:

 kubectl config set-credentials dan \ 
 --client-certificate=/tmp/dan.crt \
 --client-key=/tmp/dan.key 

This is the ~/.kube/config:

users:
- name: dan
  user:
    as-user-extra: {}
    client-certificate: /tmp/dan.crt
    client-key: /tmp/dan.key 

I want to be able to run commands from a remote worker as the user I created.
I know how to do it with service account token:

kubectl --server=https://192.168.0.13:6443 --insecure-skip-tls-verify=true --token="<service_account_token>" get pods

I copied the certifiacte and the key to the remote worker and ran:

[workernode tmp]$ kubectl --server=https://192.168.0.13:6443 --client-certificate=/tmp/dan.crt --client-key=/tmp/dan.key get pods
Unable to connect to the server: x509: certificate signed by unknown authority

I followed this question:
kubectl unable to connect to server: x509: certificate signed by unknown authority
I tried like he wrote:

kubectl proxy --address 0.0.0.0 --accept-hosts '.*'

But I am still receiving:
Unable to connect to the server: x509: certificate signed by unknown authority

Answer 1

I copied the certifiacte and the key to the remote worker and ran:

[workernode tmp]$ kubectl --server=https://192.168.0.13:6443 --client-certificate=/tmp/dan.crt --client-key=/tmp/dan.key get pods

Unable to connect to the server: x509: certificate signed by unknown authority

You were missing the critical piece of data telling kubectl how to trust the https: part of that request, namely --certificate-authority=/path/to/kubernetes/ca.pem

You didn't encounter that error while using --token=... because of the --insecure-skip-tls-verify=true which you should definitely, definitely not do.

---

I tried like he wrote:

kubectl proxy --address 0.0.0.0 --accept-hosts '.*'

But I am still receiving:

You have followed the wrong piece of advice from whatever article you were reading; that --accept-hosts flag only controls the remote hostnames from which kubectl proxy will accept connections, and has zero to do with SSL anythings.