Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

Solution to kubeconfig error

Posted
Updated
Byadmin
Views2

Problem Description

After setting up kubectl, the customer encountered errors when using kubeconfig as prompted by the SKE interface.

Alert Information

  • Scenario 1: Error message: no such hosts
  • Scenario 2: Error message: unable to connect to the server x509: certificate is valid for xxx notske-demo-wonl.ske-usercluster

Effective Troubleshooting Steps

  • Scenario 1: The error message indicates missing domain name resolution. Domain name resolution needs to be set up locally.
  • Scenario 2: This error suggests that the apiserver does not support the specified domain name. Normally, the SKE apiserver should have allowed access for *.ske-usercluster. The error might indicate an abnormal environment.
    • Check which domains SKE supports by going to the Kubernetes cluster master backend. cd /etc/kubernetes/pki && openssl x509 -in apiserver.crt -noout -text|grep -A 2 'Alternative'
    • Use a supported domain name instead, such as kubernetes.default

Root Cause

Scenario 1: The guide in the kubeconfig interface lacks domain resolution instructions.

Scenario 2: Abnormal scenarios due to upgrades or other reasons.

Solution

Scenario 1: This indicates that the domain name has not been resolved to the cluster VIP. You need to configure the domain name to the corresponding cluster VIP.

  • To configure the domain name in kubeconfig, resolve xxxxxxxx.ske-usercluster to the cluster VIP.
  • The cluster VIP can be obtained by going to Cluster Management → Select the corresponding cluster from the top left corner where the cluster status is displayed (if you do not have cluster permissions, please contact someone with cluster permissions to provide the cluster VIP).
  • The server domain name in the kubeconfig file can be retrieved from the file itself.

After configuration, you can ping xxxxxxxx.ske-usercluster to confirm if it can be reached. If so, kubectl will use it to connect to the cluster's apiserver, and kubectl will then work properly.

Scenario 2: This indicates that the domain name in the certificate is not supported by the apiserver.

One of the supported domain names is kubernetes.default. You can manually change it to use this domain name. Ensure kubernetes.default is resolved to the cluster VIP or the master node IP locally.

Impact Scope

None

Is It a Temporary Solution?

Yes

Recommendations and Summary

  • The principle is to ensure that the domain name in kubeconfig accurately resolves to the address of the cluster VIP or the master node IP.

Troubleshooting Content

None

Original Link

https://support.sangfor.com.cn/cases/list?product_id=37&type=1&category_id=27850&isOpen=true