Troubleshooting the Kubernetes Fedora manual setup
If the kube-apiserver fails to start, it might be due to service account admission control and require a service account and a token before allowing pods to be scheduled. It is generated automatically by the controller. By default, the API server uses a TLS serving key, but as we are not sending over HTTPS and don't have a TLS server key, we can provide the API server the same key file in order for the API server to validate generated service-account tokens.
Use the following to generate the key and add it to the k8s
cluster:
openssl genrsa -out /tmp/serviceaccount.key 2048
To start the API server, add the following option to the end of the /etc/kubernetes/apiserver
file:
KUBE_API_ARGS="--
service_account_key_file=/tmp/serviceaccount.key"
/etc/kubernetes/kube-controller-manager
add the following option to the end of the file:
KUBE_CONTROLLER_MANAGER_ARGS=" - service_account_private_key_file...