Issue
Alibaba Cloud provides a command line tool, Cloud Shell, to help you manage cloud resources in browsers. Container Service for Kubernetes (ACK) integrates Cloud Shell. You can use this tool to manage a cluster. When you use Cloud Shell to manage a cluster, the following timeout error may occur:
Unable to connect to the server: dial tcp XX.XX.XX.XX:6443: i/o timeout
Cause
ACK integrates with Cloud Shell. You can install the kubectl client and configure it by editing the kubeconfig file on Cloud Shell. kubectl uses the public endpoint of API server that is defined in the kubeconfig file to communicate with a cluster. If Internet access is disabled for the API server when you create a cluster, you cannot use Cloud Shell to manage the cluster.
Solution
If Internet access is disabled for the API server, you can associate an elastic IP address (EIP) with an internal-facing Server Load Balancer (SLB) instance of the cluster. This way, Internet access to the API server is enabled. In addition, the certificate of the API server is associated with the IP address of the internal-facing SLB instance. Therefore, the cluster can be accessed by using the kubectl client after you modify the kubeconfig file only when the kubectl client does not verify the certificate of the API server.
- Log on to the Virtual Private Cloud (VPC) console and create an EIP.
- Log on to the ACK console. In the left-side navigation pane, click Clusters. On the Clusters page, find the cluster that you want to manage and click the cluster name to go to the cluster management page.
- Record the internal endpoint of the API server.
- Log on to the SLB console. Search for the internal-facing SLB instance of the cluster by using the internal endpoint and associate the EIP that you created in Step 1 with the SLB instance.
- Log on to the ACK console and open Cloud Shell. Modify the ~/.kube/config file on Cloud Shell as shown in the following code:
clusters:
- cluster:
server: https://[$Public_IP]:6443
insecure-skip-tls-verify: trueNote:
- Replace [$Public_IP] with the EIP that is associated with the SLB instance.
- Set the insecure-skip-tls-verify parameter to true. You need to skip the authorization over Transport Layer Security (TLS) because the SLB instance that you add is not specified in the default certificate of ACK.
- Check whether Cloud Shell can be used to manage the cluster.
Applicable scope
- Dedicated Kubernetes clusters in ACK
- Managed Kubernetes clusters in ACK
- Serverless Kubernetes clusters in ACK