Restore the Host Cluster Access to A Member Cluster

KubeSphere features multi-cluster maganement and tenants with necessary permissions (usually cluster administrators) can access the central control plane from the Host Cluster to manage all the Member Clusters. It is highly recommended that you manage your resources across your cluster through the Host Cluster.

This tutorial demomstrates how to restore the Host Cluster access to a Member Cluster.

Possible Error Message

If you can’t access a Member Cluster from the central control plane and your browser keeps redirecting you to the login page of KubeSphere, run the following command on that Member Cluster to get the logs of the ks-apiserver.

  1. kubectl -n kubesphere-system logs ks-apiserver-7c9c9456bd-qv6bs

Note

ks-apiserver-7c9c9456bd-qv6bs refers to the Pod ID on that Member Cluster. Make sure you use the ID of your own Pod.

You will probably see the following error message:

  1. E0305 03:46:42.105625 1 token.go:65] token not found in cache
  2. E0305 03:46:42.105725 1 jwt_token.go:45] token not found in cache
  3. E0305 03:46:42.105759 1 authentication.go:60] Unable to authenticate the request due to error: token not found in cache
  4. E0305 03:46:52.045964 1 token.go:65] token not found in cache
  5. E0305 03:46:52.045992 1 jwt_token.go:45] token not found in cache
  6. E0305 03:46:52.046004 1 authentication.go:60] Unable to authenticate the request due to error: token not found in cache
  7. E0305 03:47:34.502726 1 token.go:65] token not found in cache
  8. E0305 03:47:34.502751 1 jwt_token.go:45] token not found in cache
  9. E0305 03:47:34.502764 1 authentication.go:60] Unable to authenticate the request due to error: token not found in cache

Solution

Step 1: Verify the jwtSecret

Run the following command on your Host Cluster and Member Cluser respectively to confirm whether their jwtSecrets are identical.

  1. kubectl -n kubesphere-system get cm kubesphere-config -o yaml | grep -v apiVersion | grep jwtSecret

Step 2: Modify accessTokenMaxAge

Make sure the jwtSecrets are identical, then run the following command on that Member Cluster to get the value of accessTokenMaxAge.

  1. kubectl -n kubesphere-system get cm kubesphere-config -o yaml | grep -v "apiVersion" | grep accessTokenMaxAge

If the value is not 0, run the following command to modify the value of accessTokenMaxAge.

  1. kubectl -n kubesphere-system edit cm kubesphere-config -o yaml

After you modified the value of accessTokenMaxAge to 0, run the following command to restart the ks-apiserver.

  1. kubectl -n kubesphere-system rollout restart deploy ks-apiserver

Now, you can access that Member Cluster from the central control plane again.