kubeadm config upload from-flags --service-cidr 172.26.0.0/16

in:

kubectl -n kube-system edit cm kubeadm-config

Also this file:

/etc/kubernetes/manifests/kube-apiserver.yaml

and this file:

/etc/kubernetes/manifests/kube-controller-manager.yaml

Backup the apiserver cert files:

mv /etc/kubernetes/pki/apiserver.{crt,key} /bak

Save all svcs and recreate svcs:

kubectl get svc --all-namespaces | grep -v -w kubernetes| awk '$4 !~ /None|CLUSTER/{print "kubectl get svc -n "$1" " $2 " -o yaml && echo ---"}' | bash | sed '/clusterIP: 10/d'  > all_svc.yaml
 
kubectl get svc --all-namespaces | awk '$4 !~ /None|CLUSTER/{print "kubectl delete svc -n "$1" " $2}' | bash
 
kubectl apply -f all_svc.yaml

update the cluster DNS:

kubectl get svc -A |grep dns
 
 
change entry in
/etc/cni/net.d/calico-kubeconfig
for the intern connecting to kube-api server
<code bash>
server: https://172.30.0.1:443

and change init.yml file

networking: serviceSubnet: 172.30.0.0/16 podSubnet: 172.20.0.0/16

# change kubelet config kubectl -n kube-system edit cm kubelet-config </code>

update the apiserver certs:

kubeadm init phase certs apiserver --config=kubeadm.yaml
 
kubeadm upgrade node phase kubelet-config
 
systemctl restart kubelet

After doing this in all master nodes and rebooting I can see that the services are using 172.26.0.0/16 range.

Probably it will give an error for 172.26.0.1 as this ip is not recognized by the PKI.

In k8s 1.12 it can be fixed using:

kubeadm alpha phase certs all --apiserver-advertise-address 0.0.0.0
--apiserver-cert-extra-sans=<leaderip>,<newserviceip>