问题
I did create a Master Cluster with the following command:
kubeadm init --pod-network-cidr $CALICO_NETWORK
Now it is listening in the internal IP 10.3.8.23:6443, which is ok because I want that the master uses the internal IP to communicate with Nodes.
Now I want to access the cluster using the public IP and I get the following error:
http: proxy error: x509: certificate is valid for 10.96.0.1, 10.3.8.23, not for 18.230.*.*.
How can I generate an additional certificate for the publicIP?
I need to use the public IP in order to access the dashboard using the browser.
I install it using: https://github.com/kubernetes/dashboard
回答1:
If you don't want to recreate your cluster you can also do what's described here: Invalid x509 certificate for kubernetes master
For K8s 1.7 and earlier:
rm /etc/kubernetes/pki/apiserver.*
kubeadm alpha phase certs selfsign \
--apiserver-advertise-address=0.0.0.0 \
--cert-altnames=10.96.0.1 \
--cert-altnames=10.3.8.23 \
--cert-altnames=18.230.x.x # <== Public IP
docker rm `docker ps -q -f 'name=k8s_kube-apiserver*'`
systemctl restart kubelet
For K8s 1.8 an newer:
rm /etc/kubernetes/pki/apiserver.*
kubeadm alpha phase certs all \
--apiserver-advertise-address=0.0.0.0 \
--apiserver-cert-extra-sans=10.96.0.1,10.3.8.23,18.230.x.x # <== Public IP
docker rm -f `docker ps -q -f 'name=k8s_kube-apiserver*'`
systemctl restart kubelet
And you can also add DNS name with the --apiserver-cert-extra-sans option.
回答2:
If you want to get access to your cluster using public IP, you can pass the IP with kubeadm init command. Like:
kubeadm init --apiserver-cert-extra-sans=private-ip,public-ip \
--pod-network-cidr $CALICO_NETWORK \
--apiserver-advertise-address=private-ip
来源:https://stackoverflow.com/questions/52859876/configure-aws-publicip-for-a-master-in-kubernetes