Unable to create guest cluster "error execution phase preflight: couldn't validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID"
search cancel

Unable to create guest cluster "error execution phase preflight: couldn't validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID"

book

Article ID: 394860

calendar_today

Updated On: 04-21-2025

Products

VMware vSphere Kubernetes Service

Issue/Introduction

When we tried to create guest cluster Out of the 3 control plane (CP) VMs, one CP VM came up successfully, while another remained stuck in the "Provisioned" state.

Environment

VMware vSphere with Tanzu 8.x

Cause

The cloud-init logs indicated that kubeadm join was not successfully making the second CP VM join the cluster.

[2025-04-18 12:58:58] I0418 12:58:58.947501    3247 token.go:223] [discovery] The cluster-info ConfigMap does not yet contain a JWS signature for token ID "XXXXX", will try again
[2025-04-18 12:59:03] error execution phase preflight: couldn't validate the identity of the API Server: could not find a JWS signature in the cluster-info ConfigMap for token ID "XXXXX"
[2025-04-18 12:59:03] To see the stack trace of this error execute with --v=5 or higher
[2025-04-18 12:59:03] !!! [2025-04-18T12:59:03+00:00] kubeadm reported failed action(s) for 'kubeadm join phase preflight --ignore-preflight-errors=DirAvailable--etc-kubernetes-manifests'
[2025-04-18 12:59:18] +++ [2025-04-18T12:59:18+00:00] running 'kubeadm join phase preflight --ignore-preflight-errors=DirAvailable--etc-kubernetes-manifests'
[2025-04-18 12:59:18] I0418 12:59:18.654289    4143 join.go:413] [preflight] found NodeName empty; using OS hostname as NodeName
[2025-04-18 12:59:18] I0418 12:59:18.654337    4143 joinconfiguration.go:76] loading configuration from "/run/kubeadm/kubeadm-join-config.yaml"
[2025-04-18 12:59:18] I0418 12:59:18.655048    4143 initconfiguration.go:122] detected and using CRI socket: unix:///var/run/containerd/containerd.sock

Resolution

NTP servers were not provided in ESXI. Time synchronisation on vCenter, ESXi, and the Supervisor were incorrect.

Once we synchronised the time on vCenter, ESXi, and the Supervisor, we were able to successfully create the cluster.