Kubernetes, Changing Server of Kops Cluster

Question

I have a kubernetes cluster setup on AWS using kops.

Right now, the server url is https://old-server-url.com. This url is configured on Route53 pointing to public ip of master instance of cluster.

I want to change this to https://new-server-url.com. I configured new url on Route53 same with master IP. But it just opens the kubernetes dashboard with new URL. I can't access kubernetes server via kubectl with this url.

This is the error I get when changing the kubeconfig file with new url and running kubectl get pods command.

"Unable to connect to the server: x509: certificate is valid for internal.old-server-url.com, old-server-url.com, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, not new-server-url.com"

What configuration do I have to change so that only the server of kubernetes cluster is changed, and I can access it via kube config/ kubectl?

Update: I can access my cluster after using --insecure-skip-tls-verify flag along the kubectl command. But this is insecure. I would like to know how can I change my certficates in a kops provisioned cluster with minimal effects for this scenario.

Muhammad Abdul Raheem · Accepted Answer · 2020-04-20T10:50:53.807

3

To just resolve the error:

"Unable to connect to the server: x509: certificate is valid for internal.old-server-url.com, old-server-url.com, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, not new-server-url.com"

You can use the --insecure-skip-tls-verify flag with kubectl command as explained here: Invalid x509 certificate for kubernetes master

This is not recommended for production environments.

edited Apr 20 '20 at 10:50

answered Dec 30 '19 at 12:18

Muhammad Abdul Raheem

1,710
1
11
25

2

Okay for dev environment but not recommended for production environment – Arghya Sadhu Dec 30 '19 at 12:25
1

@ArghyaSadhu you are right. – Muhammad Abdul Raheem Dec 30 '19 at 12:27

Arghya Sadhu · Answer 2 · 2019-12-31T11:40:36.263

2

Kubectl uses a kubeconfig file.In that file you need to change the API server url from old url to the new url.

Edit:

The impact of changing the url is that you need to regenerate kube-apiserver certificate with the new url as 'host', otherwise kubectl will fail with a certificate validation error.

That happens because kubectl validates the server's certificate presented by kube-apiserver upon calling k8s API server

To regenerate the kube apiserver certs in the master nodes using kubeadm (kops internally uses kubeadm) you can run below command:

rm /etc/kubernetes/pki/apiserver.*
kubeadm init phase certs all --apiserver-cert-extra-sans=https://new-server-url.com
docker rm -f `docker ps -q -f 'name=k8s_kube-apiserver*'`
systemctl restart kubelet

Default SANs are kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, 10.96.0.1, 127.0.0.1

Official docs

edited Dec 31 '19 at 11:40

answered Dec 30 '19 at 11:31

Arghya Sadhu

41,002
9
78
107

I have done that, but after changing the kubeconfig file, I can't access the cluster. – rahim Dec 30 '19 at 11:36
what is the error? can you try running kubectl command with verbose set kubectl -v=8-get nodes – Arghya Sadhu Dec 30 '19 at 11:46
I can't run the command that you asked for. Can you please tell me exactly what command you want me to run in inverted commas. Also, this is the error I get when changing the kubeconfig file with new url and running kubectl get pods command. "Unable to connect to the server: x509: certificate is valid for internal.old-server-url.com, old-server-url.com, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, not new-server-url.com" – rahim Dec 30 '19 at 11:58
Sorry I made a typo can you try this "kubectl -v=8 get nodes" – Arghya Sadhu Dec 30 '19 at 12:01
I get the same error "Unable to connect to the server: x509: certificate is valid for internal.old-server-url.com, old-server-url.com, kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, not new-server-url.com". I can access my cluster after using --insecure-skip-tls-verify flag along the kubectl command. But this is insecure. I would like to know how can I change my certficates in a kops provisioned cluster with minimal effects. – rahim Dec 30 '19 at 12:14
The command that you mentioned will just add new san for my domain. The certificate will still workk for my old domain. Is there a way so that the certificate doen't work fol old domain? – rahim Dec 31 '19 at 11:23
Ideally you will need to remove the existing certs and then run that command to generate new certs only with new SAN. Check updated answer – Arghya Sadhu Dec 31 '19 at 11:41
This needs to be done on the master, right? – rahim Dec 31 '19 at 12:01
1

Yes it needs to be done on master – Arghya Sadhu Dec 31 '19 at 12:02
Can yoy please tell me if this will have any down time on my cluster or any other side effects? – rahim Dec 31 '19 at 12:27

Kubernetes, Changing Server of Kops Cluster

2 Answers2