Kubernetes: Difference between revisions
| Line 14: | Line 14: | ||
In addition to standard Kubernetes objects, '''operators''' watch for and allow you to instantiate custom resources (CR). | In addition to standard Kubernetes objects, '''operators''' watch for and allow you to instantiate custom resources (CR). | ||
==Administration== | ==Kubeadm Administration== | ||
Notes on administering kubernetes clusters. | Notes on administering kubernetes clusters. | ||
| Line 205: | Line 205: | ||
To renew the certificates manually, run <code>kubeadm certs renew all</code> and restart your control plane services. | To renew the certificates manually, run <code>kubeadm certs renew all</code> and restart your control plane services. | ||
Note that if you lets the certificates expire, you will need to setup kubectl again. | Note that if you lets the certificates expire, you will need to setup kubectl again. | ||
Issues connecting with etcd | |||
I ran into this when trying to kubeadm upgrade | |||
;context deadline exceeded remote error: tls: bad certificate | |||
Kubeadm stores etcd certificates in <code>/etc/kubernetes/pki/etcd/</code>. | |||
Follow this to generate new certificates: https://github.com/etcd-io/etcd/issues/9785#issuecomment-432438748 | |||
You will need to create a temporary files for ca-config.json and server.json to generate new keys. | |||
Make sure in the server.json to set the key algo to "rsa" and size to 2048. In the same file, set your CN to 127.0.0.1 and the hosts to [127.0.0.1, your local IP]. | |||
;cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs | |||
This means your hosts in server.json is not correct when you generated the new keys. | |||
===Pods per node=== | ===Pods per node=== | ||