K8S (1.9) how to access API server with client certifiicate

It appears the client certificate you presented was recognized, and authenticated you as the user "kubernetes".

The error you are receiving is an authorization error, not authentication.

The next step is to ensure that the user is authorized to perform the API calls they are making. How you do that varies depending on which authorization mode your server is using. See https://kubernetes.io/docs/admin/authorization/ for details

Found the client certificate and key were wrong.

# sudo curl -iv -L \>      --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \>      --key  /etc/kubernetes/pki/apiserver-kubelet-client.key \>      --cacert /etc/kubernetes/pki/ca.crt \> https://172.31.4.117:6443/healthz* About to connect() to 172.31.4.117 port 6443 (#0)*   Trying 172.31.4.117...* Connected to 172.31.4.117 (172.31.4.117) port 6443 (#0)* Initializing NSS with certpath: sql:/etc/pki/nssdb*   CAfile: /etc/kubernetes/pki/ca.crt  CApath: none* NSS: client certificate from file*   subject: CN=kube-apiserver-kubelet-client,O=system:masters*   start date: Dec 23 05:13:30 2017 GMT*   expire date: Dec 23 05:13:30 2018 GMT*   common name: kube-apiserver-kubelet-client*   issuer: CN=kubernetes* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256* Server certificate:*   subject: CN=kube-apiserver*   start date: Dec 23 05:13:30 2017 GMT*   expire date: Dec 23 05:13:30 2018 GMT*   common name: kube-apiserver*   issuer: CN=kubernetes> GET /healthz HTTP/1.1> User-Agent: curl/7.29.0> Host: 172.31.4.117:6443> Accept: */*> < HTTP/1.1 200 OKHTTP/1.1 200 OK< Date: Mon, 25 Dec 2017 02:10:15 GMTDate: Mon, 25 Dec 2017 02:10:15 GMT< Content-Length: 2Content-Length: 2< Content-Type: text/plain; charset=utf-8Content-Type: text/plain; charset=utf-8< * Connection #0 to host 172.31.4.117 left intactok