google cloud platform

kubectl unable to connect to server: x509: certificate signed by unknown authority

I faced the kubernetes error kubectl unable to connect to server: x509: certificate signed by unknown authority while I was trying to setup Anthos Service Mesh and enable automatic sidecar injection.

kubectl unable to connect to server: x509: certificate signed by unknown authority

I got the above error when I was trying to enable auto-injection for sidecar proxies. To enable auto-injection, I had to add a revision label tp the project’s namespace. Therefore, I ran the following kubectl command.

$ kubectl -n istio-system get pods -l app=istiod --show-labels

The above command is used to locate the revision label of istiod. But I got the following error after running the above command.

$ kubectl -n istio-system get pods -l app=istiod --show-labels

kubectl unable to connect to server: x509: certificate signed by unknown authority

Troubleshooting

First thing that I had check is my kubectl config entries using the following command.

$ kubectl config view

Everything seems to be fine with respect to the entries. And while I was installing Anthos Service Mesh, by default Mesh CA was enabled and it is the defailt CA for ASM installs. Therefore, the entries or configuration related to certificates were correct.

I figured out that, while enabling auto-injection, I forgot to set the current-context for kubectl from the command line. You need to set the current-context for the kubectl by running the following command.

$ gcloud container clusters get-credentials CLUSTER_NAME \
    --project=PROJECT_ID

For example,

$ gcloud container clusters get-credentials cluster-1 --zone us-east1-c --project sneppets21

After setting the current-context I tried to run the following command again to locate revision label of istiod.

$ kubectl -n istio-system get pods -l app=istiod --show-labels

NAME                                        READY   STATUS    RESTARTS   AGE   LABELS
istiod-asm-191-1-86ccfd8654-fdw4z   1/1     Running   0          4h    app=istiod,install.operator.istio.io/owning-resource=unknown,istio.io/rev=asm-191-1,istio=istiod,operator.istio.io/component=Pilot,pod-template-hash=86ccfd8654,sidecar.istio.io/inject=false
istiod-asm-191-1-86ccfd8654-mzcts   1/1     Running   0          4h    app=istiod,install.operator.istio.io/owning-resource=unknown,istio.io/rev=asm-191-1,istio=istiod,operator.istio.io/component=Pilot,pod-template-hash=86ccfd8654,sidecar.istio.io/inject=false

Ah! the kubernetes error kubectl unable to connect to server: x509: certificate signed by unknown authority has gone away now.

Therefore, in my case the above error was due to not setting the current-context for kubectl.

Hope this solution will help some who might be facing similar issue in the GCP 🙂

References

guest
0 Comments
Inline Feedbacks
View all comments