Search code examples
amazon-web-serviceskubernetesamazon-ec2kopsnlb

kOps 1.19 reports error "Unauthorized" when interfacing with AWS cluster

I'm following the kOps tutorial to set up a cluster on AWS. I am able to create a cluster with

kops create cluster
kops update cluster --yes

However, when validating whether my cluster is set up correctly with

kops validate cluster

I get stuck with error:

unexpected error during validation: error listing nodes: Unauthorized

The same error happens in many other kOps operations.

I checked my kOps/K8s version and it is 1.19:

> kops version
Version 1.19.1 (git-8589b4d157a9cb05c54e320c77b0724c4dd094b2)

> kubectl version
Client Version: version.Info{Major:"1", Minor:"20" ...
Server Version: version.Info{Major:"1", Minor:"19" ...

How can I fix this?

Solution

  • As of kOps 1.19 there are two reasons you will suddenly get this error:

    1. If you delete a cluster and reprovision it, your old admin is not removed from the kubeconfig and kOps/kubectl tries to reuse it.
    2. New certificates have a TTL of 18h by default, so you need to reprovision them about once a day.

    Both issues above are fixed by running kops export kubecfg --admin.

    Note that using the default TLS credentials is discouraged. Consider things like using an OIDC provider instead.