Adam Mack:
Anyone know how to solve this when using kubeadm? I fixed this before by copying the masters config file from ~/.kube/config to the worker nodes and that worked for a bit but now all of a sudden this error is popping up again after a few days:
amack@k8s-worker1:~$ kubectl get nodes
Unable to connect to the server: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
I can get it to work by copying the contents of $HOME/.kube/config from the master to the workers but I’d rather have it more stable instead of having to use Ansible copy this file over every X hours.
Fernando Jimenez:
Hi @Adam Mack.
It is a bit unusual that you would want to setup every worker node with administrator access to the cluster. I do not know if that’s what you want or if that’s what you think it needs to happen.
You do not even need to setup the master node with a local kubectl client. In the initiation kubeadm will create an administrator access kubeconfig file. That file can be copy to any workstation that you wish to use as a client with all the privileges associated to it.
Fernando Jimenez:
For convenience, you might seen tutorials out there that will setup the master node with a kubectl client access, but that’s hardly production grade. It is for learning. In fact, kubeadm is mostly for assisting setting up a learning k8s cluster.
Adam Mack:
And that is what this cluster is for, primarily learning and using for studying the CKAD.
I think my problem was seeing if the pods were being distributed across the cluster and that lead me to checking on the worker nodes to see if the pods were there.
So if the nodes are showing Ready on the Master node then should I even need to worry about worker nodes and using kubectl?
Fernando Jimenez:
You do not need to setup a kubectl client in any node of the cluster. You still need to install the kubectl binary because it is a dependency of kubeadm but you do not need to configure it as a client.
If you do not want to have another machine setup for just accessing the kube-apiserver, the most common choice is to do it in the controlplane or master node.
Fernando Jimenez:
Just one machine with access to the kube-apiserver is enough. 
Adam Mack:
That makes total sense. Thank you for your help Fernando!