Your kubectl cannot establish a TLS connection to the API server within the timeout period. This indicates network latency, slow server, or SSL/TLS certificate issues.
TLS handshake timeout occurs when kubectl initiates a connection to the API server but cannot complete the SSL/TLS negotiation within the default timeout (usually 15-30 seconds). This can indicate a slow API server, high network latency, or issues with TLS certificates.
Add a timeout flag to your commands:
kubectl --request-timeout=60s get nodesOr set it globally in kubeconfig:
kubectl config set-cluster kubernetes --server=https://10.0.0.1:6443 --certificate-authority=ca.crtMonitor API server latency:
time kubectl versionIf taking > 5 seconds, the server is slow. Check API server logs on control plane.
Check client and server certificates:
openssl x509 -in ~/.kube/cert.crt -text -noout | grep -A2 "Validity"
openssl x509 -in /etc/kubernetes/pki/ca.crt -text -noout | grep -A2 "Validity"Ensure none are expired.
Use mtr to monitor latency to API server:
mtr -c 10 YOUR_API_SERVER_IPLook for high latency or packet loss. If present, contact your network admin.
If the API server is overloaded:
# Check API server CPU/memory
kubectl top nodes
# If overloaded, restart on control plane:
sudo systemctl restart kubeletFor managed Kubernetes, contact your cloud provider if control plane is slow. Use kubectl logs for API server diagnostics: kubectl logs -n kube-system kube-apiserver-control-plane. Consider using a local kubeconfig cache proxy. Monitor etcd performance as slow etcd directly impacts API server latency. For high-latency environments (WAN links), increase timeouts further and consider using context-local API proxies.
Failed to connect to server: connection refused (HTTP/2)
How to fix "HTTP/2 connection refused" error in Kubernetes
missing request for cpu in container
How to fix "missing request for cpu in container" in Kubernetes HPA
error: invalid configuration
How to fix "error: invalid configuration" in Kubernetes
etcdserver: cluster ID mismatch
How to fix "etcdserver: cluster ID mismatch" in Kubernetes
running with swap on is not supported
How to fix "running with swap on is not supported" in kubeadm