gifted-morning-94496
09/11/2022, 10:31 AMlively-tailor-38572
09/12/2022, 11:38 PMlively-tailor-38572
09/12/2022, 11:42 PMlively-tailor-38572
09/12/2022, 11:44 PMchilly-telephone-51989
09/15/2022, 7:57 AMcuddly-egg-57762
09/16/2022, 10:01 AMapiVersion: <http://helm.cattle.io/v1|helm.cattle.io/v1>
kind: HelmChart
metadata:
name: cilium
namespace: kube-system
spec:
bootstrap: True
chart: cilium/cilium
version: 1.12.1
targetNamespace: kube-system
valuesContent: |-
operator:
replicas: 2
image:
useDigest: false
tunnel: disabled
autoDirectNodeRoutes: true
kubeProxyReplacement: strict
loadBalancer:
standalone: false
mode: dsr
k8sServiceHost: 10.130.42.39
k8sServicePort: 6443
nativeRoutingCIDR: 10.0.0.0/16
image:
useDigest: false
pullPolicy: IfNotPresent
but the job pod fails with this error:
+ echo 'Installing helm_v3 chart'
+ helm_v3 install --namespace kube-system --version 1.12.1 cilium cilium/cilium --values /config/values-01_HelmChart.yaml
Error: INSTALLATION FAILED: failed to download "cilium/cilium" at version "1.12.1"
if I try do install the chart manually (helm install cilium cilium/cilium ...
), it worksclever-air-65544
09/16/2022, 2:29 PMjolly-waitress-71272
09/16/2022, 5:12 PMk delete node exampleNode
, uninstalling k3s on them, then following https://rancher.com/docs/k3s/latest/en/installation/ha/#2-launch-server-nodesbitter-furniture-26042
09/16/2022, 11:38 PMcreamy-pencil-82913
09/17/2022, 7:46 PMjolly-waitress-71272
09/20/2022, 5:34 PMgifted-morning-94496
09/22/2022, 5:42 AMcuddly-jordan-17092
09/22/2022, 6:17 AMopenssl s_client -connect kube1001:6443 2>&1 | grep issuer
verify error:num=20:unable to get local issuer certificate
issuer=/CN=k3s-server-ca@1649270763
openssl s_client -connect kube1001:443 2>&1 | grep issuer
verify error:num=20:unable to get local issuer certificate
issuer=/CN=k3s-server-ca@1649270763
openssl s_client -connect kube1001:80 2>&1 | grep issuer
verify error:num=20:unable to get local issuer certificate
issuer=/CN=k3s-server-ca@1649270763
bland-account-99790
09/22/2022, 3:16 PMclever-analyst-23771
channel
but this survey helps us drive direction and is critically important to the k3s team, sorry and thank you for your support.fancy-monitor-61453
09/22/2022, 3:30 PMbulky-computer-31499
09/22/2022, 3:31 PMhelpful-stone-91643
09/22/2022, 3:51 PMadamant-vegetable-68940
09/23/2022, 2:12 AM'<http://traefik.ingress.kubernetes.io/redirect-entry-point|traefik.ingress.kubernetes.io/redirect-entry-point>': 'https',
narrow-area-44893
09/23/2022, 2:55 AMbitter-nightfall-76021
09/23/2022, 2:21 PMError: failed to create ambient informer service: error getting host IP: <nil>
I do not expect anybody to understand that, but at least to point me what could be te reason the the process cannot get the host IP. Thanks!bland-painting-61617
09/24/2022, 11:56 AM--disable-agent
flag so that the control plane pod is not registering itself as a node.
The control plane environment is accessed by a public IP which works well, I can get pod logs and shell from my test workstation and from a side container on the control plane node I can curl to services inside the cluster which confirms the built in proxying is working - however, when I deploy gatekeeper, the control plane is not able to execute the webhook (which is strange because I can curl that webhook from the control plane pod sidecar just fine).
Error from server (InternalError): error when creating "<https://raw.githubusercontent.com/metallb/metallb/v0.12.1/manifests/namespace.yaml>": Internal error occurred: failed calling webhook "check-ignore-label.gatekeeper.sh": failed to call webhook: Post "<https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admitlabel?timeout=3s>": context deadline exceeded
The above is the error and below is the curl from the CP side car:
/ # curl "<https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/admit?timeout=3s>" -Ivk
* Trying 10.0.17.2:443...
* Connected to gatekeeper-webhook-service.gatekeeper-system.svc (10.0.17.2) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: CN=gatekeeper-webhook-service.gatekeeper-system.svc
* start date: Aug 23 11:45:37 2022 GMT
* expire date: Aug 23 11:55:37 2024 GMT
* issuer: CN=gatekeeper-ca
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
The connectivity is definitely there, but somehow something isn't connecting. The k3s cp process logs:
k3s I0924 11:53:04.418026 46 trace.go:205] Trace[729582201]: "Proxy via http_connect protocol over tcp" address:10.42.0.8:8443 (24-Sep-2022 11:50:54.455) (total time: 129962ms):
k3s Trace[729582201]: [2m9.962952731s] [2m9.962952731s] END
k3s I0924 11:53:04.418106 46 trace.go:205] Trace[975991258]: "Proxy via http_connect protocol over tcp" address:10.42.0.7:8443 (24-Sep-2022 11:50:53.454) (total time: 130963ms):
k3s Trace[975991258]: [2m10.963777266s] [2m10.963777266s] END
k3s I0924 11:53:04.418387 46 trace.go:205] Trace[1687549248]: "Proxy via http_connect protocol over tcp" address:10.42.0.7:8443 (24-Sep-2022 11:50:53.454) (total time: 130964ms):
k3s Trace[1687549248]: [2m10.964212472s] [2m10.964212472s] END
k3s I0924 11:53:04.418121 46 trace.go:205] Trace[1695746900]: "Proxy via http_connect protocol over tcp" address:10.42.0.9:8443 (24-Sep-2022 11:50:54.944) (total time: 129473ms):
k3s Trace[1695746900]: [2m9.473126709s] [2m9.473126709s] END
k3s I0924 11:53:04.418155 46 trace.go:205] Trace[1578279874]: "Proxy via http_connect protocol over tcp" address:10.42.0.8:8443 (24-Sep-2022 11:50:54.457) (total time: 129961ms):
k3s Trace[1578279874]: [2m9.961131206s] [2m9.961131206s] END
k3s I0924 11:53:04.418160 46 trace.go:205] Trace[406850929]: "Proxy via http_connect protocol over tcp" address:10.42.0.7:8443 (24-Sep-2022 11:50:53.944) (total time: 130473ms):
k3s Trace[406850929]: [2m10.473654339s] [2m10.473654339s] END
k3s I0924 11:53:04.418208 46 trace.go:205] Trace[1213933259]: "Proxy via http_connect protocol over tcp" address:10.42.0.9:8443 (24-Sep-2022 11:50:54.455) (total time: 129962ms):
k3s Trace[1213933259]: [2m9.962336223s] [2m9.962336223s] END
k3s I0924 11:53:04.418239 46 trace.go:205] Trace[1402600249]: "Proxy via http_connect protocol over tcp" address:10.42.0.7:8443 (24-Sep-2022 11:50:55.121) (total time: 129297ms):
k3s Trace[1402600249]: [2m9.297126293s] [2m9.297126293s] END
k3s I0924 11:53:04.418302 46 trace.go:205] Trace[1277249521]: "Proxy via http_connect protocol over tcp" address:10.42.0.8:8443 (24-Sep-2022 11:50:54.119) (total time: 130298ms):
k3s Trace[1277249521]: [2m10.298506336s] [2m10.298506336s] END
k3s I0924 11:53:04.418305 46 trace.go:205] Trace[688495020]: "Proxy via http_connect protocol over tcp" address:10.42.0.8:8443 (24-Sep-2022 11:50:53.454) (total time: 130964ms):
k3s Trace[688495020]: [2m10.964143771s] [2m10.964143771s] END
k3s I0924 11:53:05.376142 46 trace.go:205] Trace[1922244545]: "Call mutating webhook" configuration:gatekeeper-mutating-webhook-configuration,webhook:mutation.gatekeeper.sh,resource:/v1, Resource=configmaps,subresource:,operation:UPDATE,UID:bfb30054-8598-496e-9cd7-cbb4765fa8e1 (24-Sep-2022 11:53:04.375) (total time: 1000ms):
k3s Trace[1922244545]: [1.000712635s] [1.000712635s] END
k3s W0924 11:53:05.376198 46 dispatcher.go:180] Failed calling webhook, failing open mutation.gatekeeper.sh: failed calling webhook "mutation.gatekeeper.sh": failed to call webhook: Post "<https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/mutate?timeout=1s>": context deadline exceeded
k3s E0924 11:53:05.376218 46 dispatcher.go:184] failed calling webhook "mutation.gatekeeper.sh": failed to call webhook: Post "<https://gatekeeper-webhook-service.gatekeeper-system.svc:443/v1/mutate?timeout=1s>": context deadline exceeded
Any ideas why the proxying wouldn't work for the webhook but works for logs and curl?limited-potato-16824
09/26/2022, 5:30 AMid
field. I receive the error Duplicate entry '2147483647' for key 'PRIMARY'
from the database.
Any hints on how to fix this?careful-alarm-5840
09/26/2022, 6:58 AMaloof-article-40011
09/26/2022, 4:23 PMflannel-backend=host-gw
All nodes are reachable between each other and from workers, I see the cni0 interface and I can ping pods from the host. On server I cannot ping pods form the host, and there is no cni0 interface.
Servers have a --node-taint='k3s-controlplane=true:NoSchedule'
taint, which I assumed meant that non system workloads aren't scheduled, but looks like no workloads are scheduled on workers at all, including coredns, etc. I ran out of places to look for a cause, does anyone have any insight? Thanks in advancestale-author-3655
09/27/2022, 6:36 AMwooden-library-55047
09/27/2022, 3:19 PMnarrow-area-44893
09/28/2022, 4:11 AMnutritious-apartment-10061
09/28/2022, 5:16 PM