Kubernetes Add Extra SANS - CloudCommandos/JohnChan GitHub Wiki

Tested on Kubernetes v1.17

Export current master node's config

kubeadm config view > /root/kubeadmconf.yml

Edit the exported config and add in the certSANS parameter

apiServer:
  certSANs:
  - 10.0.1.111
  extraArgs:
    authorization-mode: Node,RBAC
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controlPlaneEndpoint: 10.0.1.99:6443
controllerManager: {}
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.17.0
networking:
  dnsDomain: cluster.local
  podSubnet: 192.168.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}

Replace current Api-Server certs

kubeadm config upload from-file --config /root/kubeadmconf.yml
cd /etc/kubernetes/pki
# check cert before
openssl x509 -in apiserver.crt -text -noout
rm apiserver.*
kubeadm init phase certs apiserver --config=/root/kubeadmconf.yml
# check cert after
openssl x509 -in apiserver.crt -text -noout 
systemctl daemon-reload
systemctl restart kubelet
# find and restart apiserver
docker ps | grep apiserver
docker restart apiserver_id

# Verify connection to apiserver:
openssl s_client -connect myserver:6443 | openssl x509 -noout -text