Technotes

Technotes for future me

kubectl error: You must be logged in to the server (Unauthorized) – how to fix

This error occurs when the kubectl client does not have the correct certificates to interact with the Kubernetes API Server. Every certificate has an expiry date. Kubernetes has mechanisms to update the certificate automatically.

I was getting the error You must be logged in to the server (Unauthorized). While executing the kubectl command. The command was working perfectly in the cluster before few hours and there was no modifications happened in the cluster.

You can use the following command to check the expiry details of the certificates used internally in the Kubernetes cluster. If the certificates are expired, we need to renew the certificates.

kubeadm certs check-expiration
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Dec 12, 2023 15:42 UTC   295d            ca                      no
apiserver                  Dec 12, 2023 15:40 UTC   295d            ca                      no
apiserver-etcd-client      Dec 12, 2023 15:40 UTC   295d            etcd-ca                 no
apiserver-kubelet-client   Dec 12, 2023 15:40 UTC   295d            ca                      no
controller-manager.conf    Dec 12, 2023 15:41 UTC   295d            ca                      no
etcd-healthcheck-client    Dec 12, 2023 15:39 UTC   295d            etcd-ca                 no
etcd-peer                  Dec 12, 2023 15:39 UTC   295d            etcd-ca                 no
etcd-server                Dec 12, 2023 15:39 UTC   295d            etcd-ca                 no
front-proxy-client         Dec 12, 2023 15:40 UTC   295d            front-proxy-ca          no
scheduler.conf             Dec 12, 2023 15:41 UTC   295d            ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Feb 13, 2031 13:35 UTC   7y              no
etcd-ca                 Feb 13, 2031 13:35 UTC   7y              no
front-proxy-ca          Feb 13, 2031 13:35 UTC   7y              no

As you can see above, the certificates are expired. They can be renewed by the command below:

kubeadm certs renew all
[renew] Reading configuration from the cluster...
[renew] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

certificate embedded in the kubeconfig file for the admin to use and for kubeadm itself renewed
certificate for serving the Kubernetes API renewed
certificate the apiserver uses to access etcd renewed
certificate for the API server to connect to kubelet renewed
certificate embedded in the kubeconfig file for the controller manager to use renewed
certificate for liveness probes to healthcheck etcd renewed
certificate for etcd nodes to communicate with each other renewed
certificate for serving etcd renewed
certificate for the front proxy client renewed
certificate embedded in the kubeconfig file for the scheduler manager to use renewed

Done renewing certificates. You must restart the kube-apiserver, kube-controller-manager, kube-scheduler and etcd, so that they can use the new certificates.

Now you can check the expiry date of the certificates and verify whether everything got updated.

kubeadm certs check-expiration
[sudo] password for erik:
[check-expiration] Reading configuration from the cluster...
[check-expiration] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'

CERTIFICATE                EXPIRES                  RESIDUAL TIME   CERTIFICATE AUTHORITY   EXTERNALLY MANAGED
admin.conf                 Feb 20, 2024 14:37 UTC   364d            ca                      no
apiserver                  Feb 20, 2024 14:37 UTC   364d            ca                      no
apiserver-etcd-client      Feb 20, 2024 14:37 UTC   364d            etcd-ca                 no
apiserver-kubelet-client   Feb 20, 2024 14:37 UTC   364d            ca                      no
controller-manager.conf    Feb 20, 2024 14:37 UTC   364d            ca                      no
etcd-healthcheck-client    Feb 20, 2024 14:37 UTC   364d            etcd-ca                 no
etcd-peer                  Feb 20, 2024 14:37 UTC   364d            etcd-ca                 no
etcd-server                Feb 20, 2024 14:37 UTC   364d            etcd-ca                 no
front-proxy-client         Feb 20, 2024 14:37 UTC   364d            front-proxy-ca          no
scheduler.conf             Feb 20, 2024 14:37 UTC   364d            ca                      no

CERTIFICATE AUTHORITY   EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
ca                      Feb 13, 2031 13:35 UTC   7y              no
etcd-ca                 Feb 13, 2031 13:35 UTC   7y              no
front-proxy-ca          Feb 13, 2031 13:35 UTC   7y              no

To be sure kubectl works again try some commands:

kubectl get pods -A
kubectl get nodes

If you are again getting the error You must be logged in to the server (Unauthorized), you need to copy the kube conf again:

cp /etc/kubernetes/admin.conf $HOME/.kube/config

Source:
https://amalgjose.com/2021/06/21/kubectl-error-you-must-be-logged-in-to-the-server-unauthorized-how-to-fix/

Last updated on 20 Feb 2023
Published on 20 Feb 2023
Edit on GitHub