Common Cluster Issues
Cluster Details Page Indicates ApiServer Self-Signed HTTPS Certificate Expired
What certificate has expired
The apiserver-loopback-client certificate, used for communication between management components such as kube-scheduler, kube-controller-manager and kube-apiserver on the same node. An expired certificate may affect communication between management components and cause problems such as the inability to create Pods.
You can refer to [k8s community official explanation on this issue] (https://github.com/kubernetes/kubernetes/issues/86552)
How to check the certificate
apiserver-loopback-client is stored in the memory of kube-apiserver and is automatically generated when the service starts and it is not written to a file. The following is the method for viewing the certificate:
Log in master node to execute
curl --resolve apiserver-loopback-client:6443:127.0.0.1 -k -v https://apiserver-loopback-client:6443 2>&1| grep -i 'server certificate' -A5
How to solve
Log into each master node one by one, restart the kube-apiserver service (systemctl restart kube-apiserver), restart will not affect online business, you need to pay attention to:
- There should be no business publishing changes etc. during the restart.
- Restart one by one. You cannot restart two or more masters at the same time.
Managed UK8S users cannot restart apiserver by themselves. Please contact the UK8S team.