BLOG02b: Cluster Connection

When connecting to the API server using its IP address, you need to add tls-server-name to your kubeconfig file.

server: https://44.192.92.4:6443
tls-server-name: kubernetes

Let me explain why this was required, what it means, and when you must use it. This is a very important Kubernetes kubeconfig concept.

Why you needed to add `tls-server-name: kubernetes`

Your API server is running on:

44.192.92.4

But your API server certificate (apiserver.crt) is issued for:

CN = kubernetes
DNS = kubernetes
DNS = kubernetes.default
DNS = kubernetes.default.svc
DNS = kubernetes.default.svc.cluster.local
IP = 10.96.0.1

Notice that the certificate does NOT contain the public IP 44.192.92.4.

So when Lens (or kubectl) tries to connect:

https://44.192.92.4:6443

TLS validation fails because the hostname/IP does not match the certificate.

Adding:

tls-server-name: kubernetes

tells the client:

“When verifying the certificate, pretend the API server’s name is ‘kubernetes’, even though I'm connecting via the IP 44.192.92.4.”

This forces TLS validation to use CN/SAN = kubernetes, which exists in the certificate.

So TLS succeeds.

Instead of tls-server-name, you could regenerate apiserver certificates with the public IP included:

sudo kubeadm init phase certs apiserver \
  --apiserver-advertise-address=44.192.92.4 \
  --apiserver-cert-extra-sans=44.192.92.4

But that is more work and usually not necessary.

Problem

Solution

API server cert doesn't include public IP

tls-server-name: kubernetes

Lens/kubectl sees certificate mismatch

Override TLS hostname

Connection succeeds

Yes

Last updated 1 month ago