Skip to content
Fix These Errors
The connection to the server ... was refused

The connection to the server ... was refused

DodaTech 3 min read

The “connection to the server was refused” error means the Kubernetes API server rejected the TCP connection — nothing is listening on the expected port.

What It Means

Kubectl sent a TCP SYN packet to the API server address and received a TCP RST (reset) response. This indicates that either nothing is listening on port 6443, or a firewall is actively rejecting the connection rather than dropping it silently.

Why It Happens

  • The API server process is not running on the master node.
  • The API server is running on a different port than expected.
  • A local firewall (iptables, ufw) is blocking inbound connections.
  • The kubeconfig context points to the wrong server or port.
  • The cluster is down or undergoing maintenance.
  • A proxy or load balancer in front of the API server is misconfigured.
  • The cluster was destroyed or decommissioned.

How to Fix It

Step 1: Check if the API server process is running

If you have SSH access to the control plane:

ssh <master-node>
sudo systemctl status kube-apiserver
sudo systemctl restart kube-apiserver

For managed clusters (EKS, GKE, AKS), check the cloud console.

Step 2: Verify the API server port

Check which port your kubeconfig uses:

kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}'

Default ports:

  • 6443 – HTTPS (standard)
  • 8080 – HTTP (insecure, local development)
  • 443 – HTTPS (behind load balancer)

Try connecting with curl:

curl -k https://<server>:6443
curl -k https://<server>:443

Step 3: Check local firewall rules 

sudo iptables -L -n | grep 6443
sudo ufw status

If the port is blocked, add a rule to allow it:

sudo ufw allow 6443

Step 4: Switch to the correct context

You might be pointing at a cluster that no longer exists:

kubectl config get-contexts
kubectl config use-context <correct-context>

Step 5: Check if a proxy is interfering

If you use a HTTP proxy, ensure it’s not interfering:

echo $HTTP_PROXY
echo $HTTPS_PROXY

Temporarily unset proxies for testing:

unset HTTP_PROXY HTTPS_PROXY NO_PROXY
kubectl get pods

Step 6: Restart kubectl proxy (if using port forwarding)

If you’re using kubectl proxy, ensure it’s running:

kubectl proxy --port=8080 &
What is the difference between 'connection refused' and 'i/o timeout'?
Connection refused means the server actively rejected the TCP handshake — a process is not listening on the port, or a firewall sent a RST packet. I/O timeout means the SYN packet was sent but no response was received — packets are being silently dropped.
Can a misconfigured load balancer cause this error?
Yes. If a load balancer in front of the API server is misconfigured (wrong health check, wrong target group, SSL offloading issues), it may reject connections even though the API server itself is healthy. Check the load balancer configuration in your cloud console.
How do I test the API server directly without kubectl?
Use curl -k https://<api-server>:6443. A healthy API server returns a JSON response with endpoints and a 401 status (because you’re not authenticated). If curl gets “Connection refused” instead, the server is unreachable at that port.
Previous SyntaxError: invalid syntax Next The container name "/..." is already in use

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro

Home Browse Fix These Errors