Kubernetes error creating PKI assets: Certificate invalid

Peter Reynolds

9/11/23, 8:13 AM

I have an issue with joining my worker nodes into the three masters configured. It's worth noting I know very little about the networking side of this (I'd rather it was explained like I am five, so that I can be sure I don't miss anything.)

I've been following the guide located at: https://dockerlabs.collabnix.com/kubernetes/beginners/Install-and-configure-a-multi-master-Kubernetes-cluster-with-kubeadm.html with a few variations - the IP Addresses are different, and the configuration for kubeadm.k8s.io/v1alpha3 isn't supported by the current K8. I've updated to use kubeadm.k8s.io/v1beta3, although two tags from the initial config do not seem to have parallels (apiServerCertSANs and apiServerExtraArgs) and I don't know if those are essential. The Kubectl version I have is 1.24.0

Masters have been initialised with the message:

W0510 09:17:54.102466 8717 initconfiguration.go:306] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta3", Kind:"ClusterConfiguration"}: strict decoding error: unknown field "apiServerExtraArgs", unknown field "apiserver-cert-extra-sans" [init] Using Kubernetes version: v1.24.0 [preflight] Running pre-flight checks [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using 'kubeadm config images pull' [certs] Using certificateDir folder "/etc/kubernetes/pki" [certs] Generating "ca" certificate and key [certs] Generating "apiserver" certificate and key [certs] apiserver serving cert is signed for DNS names [kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local master1] and IPs [10.96.0.1 10.50.0.50 10.50.0.10] [certs] Generating "apiserver-kubelet-client" certificate and key [certs] Generating "front-proxy-ca" certificate and key [certs] Generating "front-proxy-client" certificate and key [certs] External etcd mode: Skipping etcd/ca certificate authority generation [certs] External etcd mode: Skipping etcd/server certificate generation [certs] External etcd mode: Skipping etcd/peer certificate generation [certs] External etcd mode: Skipping etcd/healthcheck-client certificate generation [certs] External etcd mode: Skipping apiserver-etcd-client certificate generation [certs] Generating "sa" key and public key [kubeconfig] Using kubeconfig folder "/etc/kubernetes" [kubeconfig] Writing "admin.conf" kubeconfig file [kubeconfig] Writing "kubelet.conf" kubeconfig file [kubeconfig] Writing "controller-manager.conf" kubeconfig file [kubeconfig] Writing "scheduler.conf" kubeconfig file [kubelet-start] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env" [kubelet-start] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml" [kubelet-start] Starting the kubelet [control-plane] Using manifest folder "/etc/kubernetes/manifests" [control-plane] Creating static Pod manifest for "kube-apiserver" [control-plane] Creating static Pod manifest for "kube-controller-manager" [control-plane] Creating static Pod manifest for "kube-scheduler" [wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests". This can take up to 4m0s [apiclient] All control plane components are healthy after 6.521293 seconds [upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace [kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster [upload-certs] Skipping phase. Please see --upload-certs [mark-control-plane] Marking the node master1 as control-plane by adding the labels: [node-role.kubernetes.io/control-plane node.kubernetes.io/exclude-from-external-load-balancers] [mark-control-plane] Marking the node master1 as control-plane by adding the taints [node-role.kubernetes.io/master:NoSchedule node-role.kubernetes.io/control-plane:NoSchedule] [bootstrap-token] Using token: 1w1x1s.7qwcr1m1e5hj3yp3 [bootstrap-token] Configuring bootstrap tokens, cluster-info ConfigMap, RBAC Roles [bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to get nodes [bootstrap-token] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials [bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token [bootstrap-token] Configured RBAC rules to allow certificate rotation for all node client certificates in the cluster [bootstrap-token] Creating the "cluster-info" ConfigMap in the "kube-public" namespace [kubelet-finalize] Updating "/etc/kubernetes/kubelet.conf" to point to a rotatable kubelet client certificate and key [addons] Applied essential addon: CoreDNS [addons] Applied essential addon: kube-proxy

Your Kubernetes control-plane has initialized successfully!

But all three are listed in the nodes (as NotReady admittedly but I believe that is because I have not deployed something like Calico) and I have reached the point of trying to add in the worker nodes. running the provided join command first gets me the error:

[preflight] Running pre-flight checks [preflight] Reading configuration from the cluster... [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' error execution phase preflight: One or more conditions for hosting a new control plane instance is not satisfied.

[failure loading certificate for CA: couldn't load the certificate file /etc/kubernetes/pki/ca.crt: open /etc/kubernetes/pki/ca.crt: no such file or directory, failure loading key for service account: couldn't load the private key file /etc/kubernetes/pki/sa.key: open /etc/kubernetes/pki/sa.key: no such > > file or directory, failure loading certificate for front-proxy CA: couldn't load the certificate file /etc/kubernetes/pki/front-proxy-ca.crt: open /etc/kubernetes/pki/front-proxy-ca.crt: no such file or directory]

Please ensure that:

The cluster has a stable controlPlaneEndpoint address.

The certificates that must be shared among control plane instances are provided.

To see the stack trace of this error execute with --v=5 or higher

To fix this, I copied the certificates from one of the master onto the worker at /etc/kubernetes/pki/ I then ran the join again, and got the following error:

[preflight] Running pre-flight checks [preflight] Reading configuration from the cluster... [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [preflight] Running pre-flight checks before initializing the new control plane instance error execution phase preflight: [preflight] Some fatal errors occurred: [ERROR ExternalEtcdClientCertificates]: /etc/etcd/ca.pem doesn't exist [ERROR ExternalEtcdClientCertificates]: /etc/etcd/kubernetes.pem doesn't exist [ERROR ExternalEtcdClientCertificates]: /etc/etcd/kubernetes-key.pem doesn't exist [preflight] If you know what you are doing, you can make a check non-fatal with --ignore-preflight-errors=... To see the stack trace of this error execute with --v=5 or higher

Again, I copied the certificates from the master at /etc/etcd/ . Finally, I get this error:

[preflight] Running pre-flight checks [preflight] Reading configuration from the cluster... [preflight] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml' [preflight] Running pre-flight checks before initializing the new control plane instance [preflight] Pulling images required for setting up a Kubernetes cluster [preflight] This might take a minute or two, depending on the speed of your internet connection [preflight] You can also perform this action in beforehand using 'kubeadm config images pull' [certs] Using certificateDir folder "/etc/kubernetes/pki" [certs] Using the existing "front-proxy-client" certificate and key error execution phase control-plane-prepare/certs: error creating PKI assets: failed to write or validate certificate "apiserver": certificate apiserver is invalid: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, master2, not worker1 To see the stack trace of this error execute with --v=5 or higher

If I copy the certificates from a given master it shows up as valid for that master (master2 above). How do I generate/use certificates on the worker as it seems these are generated by the INIT command, rather than the JOIN command?

As a potential solution I looked at turning off SSL internally, as per this post https://stackoverflow.com/questions/60970744/how-to-run-kubernetes-without-ssl-network but I cannot find the relevant sections in my YAML to amend. I'd rather run with SSL if I can, but I'm open for how to disable it if required.

0 + 0

ssl

kubernetes

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Kubernetes error creating PKI assets: Certificate invalid

TH: ข้อผิดพลาดของ Kubernetes ในการสร้างเนื้อหา PKI: ใบรับรองไม่ถูกต้อง

RO: Eroare Kubernetes la crearea activelor PKI: certificat nevalid

RU: Ошибка Kubernetes при создании ресурсов PKI: недействительный сертификат

VI: Kubernetes error creating PKI assets: Certificate invalid

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.