Hi, another problem with the Kubernetes the Hard Way. Following all exactly word . . .

Roberto Sebastiano:
Hi, another problem with the Kubernetes the Hard Way. Following all exactly word-by-word, I arrive at 14-dns-addon.md, where I run busybox, for debug I have one busybox running on worker-1 and one on worker-2.
[email protected]:~ kubectl get pods -o wide* *NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES* *busybox 1/1 Running 0 40m worker-2 <none> <none>* *busybox-w1 1/1 Running 0 11m worker-1 <none> <none>* Then I do: *[email protected]:~ kubectl exec -ti busybox-w1 – nslookup kubernetes
error: unable to upgrade connection: Forbidden (user=kube-apiserver, verb=create, resource=nodes, subresource=proxy)
I solved this by running:
kubectl create clusterrolebinding apiserver-kubelet-admin --user=kube-apiserver --clusterrole=system:kubelet-api-admin
and now worker-1 works:
[email protected]:~ kubectl exec -ti busybox-w1 -- nslookup kubernetes* *Server:* *Address 1: kube-dns.kube-system.svc.cluster.local* (note that I applied the 13-kube-apiserver-to-kubelet.md commands before the fix above) Now worker-2 instead has problems with TLS certificates, the same command gives this error: *[email protected]:~ kubectl exec -ti busybox – nslookup kubernetes
Error from server: error dialing backend: x509: certificate signed by unknown authority

How to fix this ? Anyone can help ? If you follow the github documentation you arrive at the same issue above

Thank you,

Roberto Sebastiano:
Similar issue here: https://github.com/mmumshad/kubernetes-the-hard-way/issues/207

Roberto Sebastiano:
I think the problem is that in my case there is no csr to approve on the master server. The worker-2 creates a certificate on its own without requesting a csr it seems. Any help ?

Roberto Sebastiano:
I had to replace --rotate-certificates to --rotate-server-certificates in kubelet systemd service in order to have a csr to approve on master node. Now it works. Can someone confirm this and update the documentation ? Should I open an Issue on GitHub ? Is it still mantained ?

1 Like

You are right. I faced the same issue and I solve the issue as you solved the problem.