I have installed kubernetes 1.29.6 using this command in CentOS 8:
kubeadm init \
--apiserver-advertise-address 0.0.0.0 \
--apiserver-bind-port 6443 \
--cert-dir /etc/kubernetes/pki \
--control-plane-endpoint 172.31.227.20 \
--image-repository registry.cn-hangzhou.aliyuncs.com/google_containers \
--kubernetes-version 1.29.6 \
--pod-network-cidr 10.11.0.0/16 \
--service-cidr 10.20.0.0/16 \
--service-dns-domain cluster.local \
--upload-certs \
--v=6
now I can access the kubernete in the host machine of remote cloud server. Now I want to access the kubernetes from the internet. Shows error:
E0629 22:41:40.693878 4368 proxy_server.go:147] Error while proxying request: x509: certificate is valid for 10.96.0.1, 172.31.227.20, not 120.27.115.168
Failed to get /version for clusterId=1381a4913cf79a915992555d81b1a749: Internal Server Error
E0629 22:42:00.415927 4368 proxy_server.go:147] Error while proxying request: x509: certificate is valid for 10.96.0.1, 172.31.227.20, not 120.27.115.168
Failed to get /version for clusterId=1381a4913cf79a915992555d81b1a749: Internal Server Error
E0629 22:42:10.756268 4368 proxy_server.go:147] Error while proxying request: x509: certificate is valid for 10.96.0.1, 172.31.227.20, not 120.27.115.168
Failed to get /version for clusterId=1381a4913cf79a915992555d81b1a749: Internal Server Error
E0629 22:42:30.414569 4368 proxy_server.go:147] Error while proxying request: x509: certificate is valid for 10.96.0.1, 172.31.227.20, not 120.27.115.168
Failed to get /version for clusterId=1381a4913cf79a915992555d81b1a749: Internal Server Error
E0629 22:42:40.746838 4368 proxy_server.go:147] Error while proxying request: x509: certificate is valid for 10.96.0.1, 172.31.227.20, not 120.27.115.168
it looks like this certificate only works for some specify host. how to make the certificate works for the whole internet? I have tried to using the https domain to forward the request and config in the client config file like this:
➜ .kube cat admin.conf
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURaZVYzeU9yT2Jsd2k2Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
server: https://kubernetes.poem.com
name: kubernetes
still could not work. This is the remote openresty forward config:
[root@iZm5e2jhfbrshckqh6qdbuZ conf.d]# cat kubernetes.conf
server {
listen 443 ssl;
server_name kubernetes.poem.com;
ssl_certificate /etc/letsencrypt/live/poem/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/poem/privkey.pem;
location / {
client_max_body_size 1m;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP 192.210.203.237;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_read_timeout 3600;
proxy_pass https://172.31.227.20:6443;
}
}
I also tried to edit the certSANs:
[root@iZm5e2jhfbrshckqh6qdbuZ .kube]# kubectl -n kube-system get configmap kubeadm-config -o yaml
apiVersion: v1
data:
ClusterConfiguration: |
apiServer:
certSANs:
- 10.96.0.1
- 172.31.227.20
- 120.27.115.168
- 127.0.0.1
- kubernetes.poem.com
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta3
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns: {}
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.aliyuncs.com/google_containers
kind: ClusterConfiguration
kubernetesVersion: v1.29.6
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}
kind: ConfigMap
metadata:
creationTimestamp: "2024-06-29T09:16:34Z"
name: kubeadm-config
namespace: kube-system
resourceVersion: "30605"
uid: 0601d1b3-89bb-4541-9fd8-4662a661f663
