Basic troubleshooting of cluster connection issues with the API server
This article discusses connection issues to an Azure Kubernetes Service (AKS) cluster when you can't reach the cluster's API server through the Kubernetes cluster command-line tool (kubectl) or any other tool, such as using REST API through a programming language.
Prerequisites
Root cause and solutions
Connection issues to the API server can occur for many reasons, but the root cause is often related to an error with one of these items:
- Network
- Authentication
- Authorization
You can take these common troubleshooting steps to check the connectivity to the AKS cluster's API server:
Enter the following az aks show command in Azure CLI. This command gets the fully qualified domain name (FQDN) of your AKS cluster.
az aks show --resource-group <cluster-resource-group> --name <cluster-name> --query fqdnWith the FQDN, check whether the API server is reachable from the client machine by using the name server lookup (nslookup), client URL (curl), and telnet commands:
# Check if the DNS Resolution is working: $ nslookup <cluster-fqdn> # Then check if the API Server is reachable: $ curl -Iv https://<cluster-fqdn> $ telnet <cluster-fqdn> 443If the AKS cluster is private, make sure you run the command from a virtual machine (VM) that can access the AKS cluster's Azure Virtual Network. See Options for connecting to the private cluster.
If necessary, follow the steps in the troubleshooting article Client IP address can't access the API server, so the API server adds your client IP address to the IP ranges it authorizes.
Make sure the version of kubectl on your client machine isn't two or more minor versions behind the AKS cluster's version of that tool. To install the latest version of kubectl, run the az aks install-cli command in Azure CLI. You can then run kubectl version command to check the version number of the new installation.
For example, on Linux you would run these commands:
sudo az aks install-cli kubectl version --clientFor other client operating systems, use these kubectl installation instructions.
If necessary, follow the steps in the troubleshooting article Config file isn't available when connecting, so your Kubernetes configuration file (config) is valid and can be found at connection time.
If necessary, follow the steps in the troubleshooting article User can't get cluster resources, so you can list the details of your cluster nodes.
If you're using a firewall to control egress traffic from AKS worker nodes, make sure the firewall allows the minimum required egress rules for AKS.
Make sure the network security group that's associated with AKS nodes allows communication on TCP port 10250 within the AKS nodes.
For other common troubleshooting steps, see I'm receiving TCP timeouts when using kubectl or other third-party tools connecting to the API server.
Contact us for help
If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for