Kubernetes kube-apiserver is not reachable from nodes/podes via ClusterIP (:443).
According to the kube-apiserver documentation:
--bind-address ip The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank, all interfaces will be used (0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). (default 0.0.0.0)--secure-port int The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all. (default 6443)As far as I see, the flags --bind-address and --secure-port wasn't defined in your kube-apiserver configuration, so by default kube-apiserver listens https connections on 0.0.0.0:6443.
So, in order to solve your issue, just add --secure-port flag to the kube-apiserver configuration:
"--secure-port", "443",
Change from:
--service-cluster-ip-range", "10.0.0.0/16To:
--service-cluster-ip-range", "10.10.0.0/16So that --service-cluster-ip-range value to match with the flannel CIDR.
Please make sure the host you apiserver pod sit on have set the iptables accept the cidr range of your pods. Such as
-A INPUT -s 10.32.0.0/12 -j ACCEPTI think this has something to do with when access service on the same host, the iptable does not use translate address as the source address.