If the kube-apiserver fails to start, it might be due to service account admission control and require a service account and a token before allowing pods to be scheduled. It is generated automatically by the controller. By default, the API server uses a TLS serving key, but as we are not sending over HTTPS and don't have a TLS server key, we can provide the API server the same key file in order for the API server to validate generated service-account tokens.

Use the following to generate the key and add it to the k8s cluster:

        openssl genrsa -out /tmp/serviceaccount.key 2048

To start the API server, add the following option to the end of the /etc/kubernetes/apiserver file:

 KUBE_API_ARGS="-- service_account_key_file=/tmp/serviceaccount.key" ...