Reputation: 12674
What should be configured when placing a load balancer in front of k8s master(s)
I have a running cluster with single master. A load balancer(kube.company.com) is configured to accept traffic at 443 and forwards it to the k8s master 6443.
I tried to change my ~/.kube/config server field definition from $masterIP:6443 to kube.company.com:443.
It throws the error x509: certificate signed by unknown authority.
I guess there should be some configuration that should be done to make this work, I just can't find it in the official docs
This is a bare metal setup using k8s version 1.21.2, containerd in RHEL env. The load balancer is nginx. Cluster is installed via kubeadm
Upvotes: 1
Views: 230
Answers (1)
Reputation: 13260
When using kubeadm to deploy a cluster, if you want to use a custom name to access the Kubernetes API Server, you need to specify the --apiserver-cert-extra-sans flag of kubeadm init.
Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. Can be both IP addresses and DNS names.
This is untested, but theoretically if you want to do this on an existing cluster, you should be able to log in in every master node and run this:
# remove current apiserver certificates
sudo rm /etc/kubernetes/pki/apiserver.*
# generate new certificates
sudo kubeadm init phase certs apiserver --apiserver-cert-extra-sans=<your custom dns name here>
Upvotes: 1
Related Questions
- k8s container initialization and load balancing
- Configure unmanaged k8s Load Balancer
- K8s ANY load balancing?
- Replicated load balancer
- Using a Load Balancer with Kubernetes
- Kubernetes - Networking inside cluster -
- Kubernetes Service load balance techniques
- Load Balancer in On-Premise High Availability Kubernetes cluster formation
- AWS Load balancer in front of k8s master
- Queries about LoadBalancing in Kubernetes cluster