K3s: Unable to connect K3s agents to K8s master

Created on 21 Nov 2019  路  5Comments  路  Source: k3s-io/k3s

Hi!
I'm trying to connect a K3s Node to a K8s Master.

While starting the k3s agent:

# k3s agent -s https://<master IP>:6443 -t <master token>

I got the error:

INFO[...] Running load balancer 127.0.0.1:37235 -> [ ... :6443]
ERRO[...] failed to get CA certs at https://127.0.0.1:37235/cacerts: https://127.0.0.1:37235/cacerts: 403 Forbidden

When tried to connect (using the same machines, in the same network) the K3s to a K3s Master, everything worked with no problems.

i suspect that the problem is the <master token> I got using:

[Master]$ sudo kubeadm token create --print-join-command

Because the tokens printed were quite different then the one under: _/var/lib/rancher/k3s/server/node-token_ (in the k3s master case)

How can i get the correct token?

Or:

Is there a different process i should follow in order to connect to a K8s Master?
I couldn't find any documentation for it..

Help would be greatly appreciated.
Thanks!!

gz#10079

kinenhancement
Source
picture Yuval-Ai

Most helpful comment

Is this something that might change in the future? It would be very useful to me

picture cyclingwithelephants on 26 Nov 2019
👍5

All 5 comments

Sorry, k3s agents can only connect to k3s servers at the moment.

erikwilson picture erikwilson on 21 Nov 2019

Is this something that might change in the future? It would be very useful to me

cyclingwithelephants picture cyclingwithelephants on 26 Nov 2019
👍5

Is this something that might change in the future? It would be very useful to me

For me it's even crucial in order to be able to use k3s (which i would really like to do).

Can this be achieved by changing just the Agent?
I'll be glad to try and help solving it (to the best of my ability).

Thanks again!

Yuval-Ai picture Yuval-Ai on 28 Nov 2019

It is probably possible to modify the agent code to make this work. Here are some features being provided by the agent that would likely need to be disabled:

  • cert bootstrap process
  • tunnel from node to every server
  • network policy controller (unless running on k8s master also)
  • load balancer on each node for HA failover (maybe can keep on)

The reverse tunnel + server core-dns node entries make it so that each node does not need a hosts entry for every other node, so there may be extra setup need to resolve all node hostnames.

I have not looked deeply into the code/workflow of kubeadm join, but there may be some extra work required for that functionality.

erikwilson picture erikwilson on 28 Nov 2019

This simply isn't in the wheel house of k3s and I don't see us putting effort into this any time soon. I'm going to close this issue.

cjellick picture cjellick on 3 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dduportal picture dduportal  路  4Comments
davidnuzik picture davidnuzik  路  3Comments
theonewolf picture theonewolf  路  3Comments
giezi picture giezi  路  3Comments
giminni picture giminni  路  3Comments