disha rajpal:
Hi, Please help me with this question. I tried to solve it but no go.
The kube-api server stopped again! Check it out. Inspect the kube-api server logs and identify the root cause and fix the issue.
Run docker ps -a
command to identify the kube-api server container. Run docker logs container-id
command to view the logs.
Ashok Kumar:
Hey Disha
Check for api-server exited container using
docker ps --filter "status=exited"
then look api-server container id and use
docker logs <container_id>
Read the all the log lines one by one somewhere you would encounter a message as “certificate is invalid” when connecting to etcd
This should give you a hint where you should be looking next:slightly_smiling_face:
- docker ps -a
check kube-apiserver container id
- docker logs container id
- check logs
- logs : “transport: authentication handshake failed: x509: certificate signed by unknown authority”.
Reconnecting…
- certificate error → cat /etc/kubernetes/manifests/kube-apiserver.yaml
- –client-ca-file=/etc/kubernetes/pki/ca.crt
–etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
openssl x509 -in crt or key path -text
ex) openssl x509 -in /etc/kubernetes/pki/ca.crt -text
check CN
- /etc/kubernetes/pki/ca.crt CN → kubernetes
/etc/kubernetes/pki/apiserver-etcd-client.crt CN-> etcd-ca
- openssl x509 -in /etc/kubernetes/pki/etcd/ca.crt -text
CN → etcd-ca
- rewrite → vi /etc/kubernetes/manifests/kube-apiserver.yaml
–client-ca-file=/etc/kubernetes/pki/ca.crt → --client-ca-file=/etc/kubernetes/pki/etcd/ca.crt
I think CN is wrong etcd CA ca.crt
different from other etcd authentication CNs
I hope you understand