âĒ Back
đ Adding new hostnames to access a Kubernetes cluster's apiserver through
If you're self-hosting a Kubernetes cluster, you may wish to add more hosts (SANs) to your apiserver certificate. The API server will complain if it's attempting to be accessed from a host which is not declared in the apiserver certificate.
Note
- This tutorial presumes an already deployed cluster
- Steps with the title ending in
[!]mean that the step should be repeated on each node - There may be a better and easier way to do this - but this is what I've come up with
- This whole process should not affect the operation of the pods in your cluster
Steps
Download and backup your kubeadm cluster config
kubeadm config view > kubeadm.yaml
# make a backup for the config
cp kubeadm.yaml kubeadm.yaml.bakAdd new apiserver SANs to your kubeadm config
Open your kubeadm.yaml file and add inside of apiServer the field (type array) certSANs. Add the first value as what you'd like to access the apiserver with - For this example I've set test.a.local.
apiServer:
certSANs:
- test.a.local
extraArgs:
authorization-mode: Node,RBAC
timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManager: {}
dns:
type: CoreDNS
etcd:
local:
dataDir: /var/lib/etcd
imageRepository: registry.opensuse.org/kubic
kind: ClusterConfiguration
kubernetesVersion: v1.17.0
networking:
dnsDomain: cluster.local
podSubnet: 10.244.0.0/16
serviceSubnet: 10.96.0.0/12
scheduler: {}Note; The manifest above is my full openSUSE Kubic default kubeadm with certSANs added (and a host)
Upgrade your cluster with the fresh kubeadm [!]
This will 'upgrade' your kubeadm cluster to use the new kubeadm definition.
kubeadm upgrade apply --config=kubeadm.yaml
Remove the old certificates [!]
Deleting the old certificates cannot be undone. Since the kubeadm config has been updated they may not be able to be used anyhow.
rm /etc/kubernetes/pki/apiserver.*
Regenerate the apiserver certificates by running the kubeadm init for the certs phase [!]
Only initialize the apiserver certs.
kubeadm init phase certs apiserver --config=kubeadm.yamlDelete the apiserver Pod, so it recreates and restarts [!?]
This step may or may not be required for all nodes (I haven't tested it).
# find the pod
KUBE_APISERVER_NAME=$(kubectl -n kube-system get pods -l component=kube-apiserver -o=jsonpath='{.items[0].metadata.name}')
kubectl -n kube-system delete pod $KUBE_APISERVER_NAMELinks and references