Skip to Content
Cluster ManagementCommon Cluster Issues

Common Cluster Issues

The cluster details page prompts that the self-signed HTTPS certificate of ApiServer has expired

What certificate has expired

The apiserver-loopback-client certificate, which is used for communication between management components (such as kube-scheduler and kube-controller-manager) and kube-apiserver on the same node. Certificate expiration will affect communication between management components, potentially causing issues such as inability to create Pods normally.

You can refer to [k8s community official explanation on this issue] (https://github.com/kubernetes/kubernetes/issues/86552)

How to check the certificate

The apiserver-loopback-client certificate is stored in the memory of kube-apiserver, automatically generated when the service starts, and not written to a file. The following is the method for viewing the certificate:

Log in master node to execute

curl --resolve apiserver-loopback-client:6443:127.0.0.1 -k -v https://apiserver-loopback-client:6443 2>&1| grep -i  'server certificate' -A5

Solutions

Log into each master node one by one, and restart the kube-apiserver service (systemctl restart kube-apiserver). Restart will not affect online business. Notes:

  1. There should be no business release, changes etc. during the restart.
  2. Restart one by one. You cannot restart two or more masters at the same time.

Managed UK8S users cannot restart apiserver by themselves. Please contact the UK8S team.

Cluster Version UpgradingCluster Node Configuration Recommendation