kubectl - error: You must be logged in to the server (the server has asked for the client to provide credentials)

Question

We are getting an error when querying container logs kubectl logs <pod>.

This is probably related to expired certs on the worker node itself.

When deleting a pod, it is correctly rescheduled on the problematic node.

How does scheduling work, while kubectl logs fails? As far as I understand both requests go through the api-server.

Answer 1

I suggest getting familiar with the whole scheduling process by going through the official docs:

kube-scheduler is the default scheduler for Kubernetes and runs as part of the control plane. kube-scheduler is designed so that, if you want and need to, you can write your own scheduling component and use that instead.

The Kubernetes scheduler is a control plane process which assigns Pods to Nodes. The scheduler determines which Nodes are valid placements for each Pod in the scheduling queue according to constraints and available resources.

Both kube-apiserver and kube-scheduler are the control plane components:

The control plane's components make global decisions about the cluster (for example, scheduling), as well as detecting and responding to cluster events (for example, starting up a new pod when a deployment's replicas field is unsatisfied).

I am no expert in Openshift but to better understand the authentication/authorization and certificates aspects of this platform I would read through these docs.