1
votes

Trying to install kubernetes dashboard in Ubuntu 16.04 resulting in x509: certificate signed by unknown authority error.

Kubernetes cluster with a single node is running fine and deployments are happening too.

Tried enabling apiserver-host property in kubernetes-dashboard.yaml file without any lock.

kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/aio/deploy/recommended/kubernetes-dashboard.yaml Unable to connect to the server: x509: certificate signed by unknown authority

Any suggestions.

Output from kubectl get all -n kube-system

NAME                                         READY   STATUS    RESTARTS   AGE
pod/calico-node-6dgkc                        2/2     Running   4          4d23h
pod/calico-node-v8xjr                        2/2     Running   0          2d4h
pod/coredns-fb8b8dccf-8jznp                  1/1     Running   2          4d23h
pod/coredns-fb8b8dccf-pl87d                  1/1     Running   2          4d23h
pod/etcd-ets-kubernetes                      1/1     Running   2          4d23h
pod/kube-apiserver-ets-kubernetes            1/1     Running   2          4d23h
pod/kube-controller-manager-ets-kubernetes   1/1     Running   2          4d23h
pod/kube-proxy-24qjz                         1/1     Running   0          2d4h
pod/kube-proxy-ccqpn                         1/1     Running   2          4d23h
pod/kube-scheduler-ets-kubernetes            1/1     Running   2          4d23h

NAME                   TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                  AGE
service/calico-typha   ClusterIP   10.110.39.31   <none>        5473/TCP                 4d23h
service/kube-dns       ClusterIP   10.96.0.10     <none>        53/UDP,53/TCP,9153/TCP   4d23h
Error from server (Forbidden): replicationcontrollers is forbidden: User "system:node:ets-kubernetes" cannot list resource "replicationcontrollers" in API group "" in the namespace "kube-system"
Error from server (Forbidden): daemonsets.apps is forbidden: User "system:node:ets-kubernetes" cannot list resource "daemonsets" in API group "apps" in the namespace "kube-system"
Error from server (Forbidden): deployments.apps is forbidden: User "system:node:ets-kubernetes" cannot list resource "deployments" in API group "apps" in the namespace "kube-system"
Error from server (Forbidden): replicasets.apps is forbidden: User "system:node:ets-kubernetes" cannot list resource "replicasets" in API group "apps" in the namespace "kube-system"
Error from server (Forbidden): statefulsets.apps is forbidden: User "system:node:ets-kubernetes" cannot list resource "statefulsets" in API group "apps" in the namespace "kube-system"
Error from server (Forbidden): horizontalpodautoscalers.autoscaling is forbidden: User "system:node:ets-kubernetes" cannot list resource "horizontalpodautoscalers" in API group "autoscaling" in the namespace "kube-system"
Error from server (Forbidden): jobs.batch is forbidden: User "system:node:ets-kubernetes" cannot list resource "jobs" in API group "batch" in the namespace "kube-system"
Error from server (Forbidden): cronjobs.batch is forbidden: User "system:node:ets-kubernetes" cannot list resource "cronjobs" in API group "batch" in the namespace "kube-system"

Output from kubectl get nodes

NAME             STATUS   ROLES    AGE     VERSION
ets-kubernetes   Ready    master   4d23h   v1.14.1
ets-node         Ready    <none>   2d4h    v1.14.1

Kubectl output.PNG enter image description here

Certificate Error.PNG enter image description here

1

1 Answers

0
votes

It would be better if you would specify how did you deploy your cluster but, try to regenerate your cluster certificates. If you used kubeadm then from control plane node you can run

kubeadm alpha certs renew

For more info check this

EDIT according to update on original post:

According your updated output, as you can see from the events, somehow there are many lines like:

User "system:node:ets-kubernetes" cannot list resource .........

It means, above user doesn't have relevant role to do those actions on specified resources.

To fix this you have to create relevant Role and RoleBindings for this user. You can get more info from official Using RBAC Authorization documentation