boundless-eye-27124
12/19/2022, 9:32 PMulimit memlock=-1:-1
in RKE2 k8s containers?straight-lunch-71206
12/20/2022, 3:39 PMboundless-eye-27124
12/20/2022, 10:52 PMstraight-morning-82320
12/21/2022, 11:14 AMnarrow-noon-75604
12/22/2022, 9:29 AMsteep-manchester-31195
12/22/2022, 9:59 AMrke2-server
service on an rke2-agent
service node. It converted the node in the cluster to a control-plane node, which it shouldn't be. I removed the node (kubectl delete node
), rebooted it and started rke2-agent again, which added it. As good as everything is fine now, but control-plane pods are still started on the node...
I tried deleting the pods , but they always come back:
cloud-controller-manager-agent-001 0/1 Error 2 9m17s
etcd-agent-001 0/1 Completed 14 5m10s
kube-apiserver-agent-001 0/1 Error 19 5m10s
kube-controller-manager-agent-001 1/1 Running 2 (34m ago) 3m7s
kube-scheduler-agent-001 1/1 Running 2 (34m ago) 3m6s
I thought etcd might be the problem, so I tried to annotate kubectl annotate node agent-001 <http://etcd.k3s.cattle.io/remove=true|etcd.k3s.cattle.io/remove=true>
, but this did not work.
How do I proceed?steep-manchester-31195
12/22/2022, 10:00 AMbillions-easter-91774
12/25/2022, 6:14 PM<http://field.cattle.io/publicEndpoints|field.cattle.io/publicEndpoints>
what is it used for and how can i control it?boundless-notebook-59700
12/29/2022, 5:57 PMstraight-helicopter-43647
12/30/2022, 12:23 AMstraight-helicopter-43647
12/30/2022, 12:24 AMstraight-helicopter-43647
12/30/2022, 12:26 AMstraight-helicopter-43647
12/30/2022, 1:34 AMbreezy-beard-17581
12/30/2022, 3:00 AMglamorous-alarm-16304
12/30/2022, 7:49 AMDec 30 16:41:53 worker1 rke2[2343799]: time="2022-12-30T16:41:53+09:00" level=error msg="Remotedialer proxy error" error="connect not allowed"
Dec 30 16:41:58 worker1 rke2[2343799]: time="2022-12-30T16:41:58+09:00" level=info msg="Connecting to proxy" url="<wss://master-ip:9345/v1-rke2/connect>"
Server Node: rke2-server
service show logs below
Dec 30 07:41:53 server rke2[1379172]: time="2022-12-30T07:41:53Z" level=warning msg="Proxy error: read failed: tunnel disconnect"
Dec 30 07:41:58 server rke2[1379172]: time="2022-12-30T07:41:58Z" level=info msg="Handling backend connection request [lambda-server-cpu-2]"
Dec 30 07:42:04 server rke2[1379172]: time="2022-12-30T07:42:04Z" level=info msg="error in remotedialer server [400]: websocket: close 1006 (abnormal closure): unexpected EOF
Could you suggest where should I start to debug this?numerous-country-20400
12/30/2022, 9:40 AMrefined-kilobyte-28429
12/31/2022, 5:32 AMkubectl get serviceaccounts --all-namespaces -o json | jq -r '.items[] | select(.metadata.name=="default") | select((.automountServiceAccountToken == null) or (.automountServiceAccountToken == true))' | jq .metadata.namespace
Any ideas?lemon-air-99682
01/02/2023, 7:38 PMlemon-air-99682
01/02/2023, 7:43 PMrke2-{server|agent}.service
. But in the Installation Methods doc and all over in the other docs, it says to run the rke2
binary with either a config file or config flags and makes no mention of starting or enabling services.
What is the recommended installation method?mysterious-whale-87222
01/02/2023, 8:40 PMapiVersion: <http://provisioning.cattle.io/v1|provisioning.cattle.io/v1>
kind: Cluster
metadata:
name: test
annotations:
{}
labels:
{}
namespace: fleet-default
spec:
cloudCredentialSecretName: cattle-global-data:cc-ddncq
defaultPodSecurityPolicyTemplateName: ''
kubernetesVersion: v1.24.8+rke2r1
localClusterAuthEndpoint:
caCerts: ''
enabled: false
fqdn: ''
rkeConfig:
additionalManifest: |+
apiVersion: v1
kind: Secret
metadata:
name: ccm-linode
namespace: kube-system
type: Opaque
data:
apiToken: xxxx
region: xxxx
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ccm-linode
namespace: kube-system
---
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
kind: ClusterRole
metadata:
name: ccm-linode-clusterrole
rules:
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "watch", "list", "update", "create"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list", "update", "delete", "patch"]
- apiGroups: [""]
resources: ["nodes/status"]
verbs: ["get", "watch", "list", "update", "delete", "patch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "watch", "list", "update", "create", "patch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "watch", "list", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["services/status"]
verbs: ["get", "watch", "list", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: <http://rbac.authorization.k8s.io/v1|rbac.authorization.k8s.io/v1>
metadata:
name: ccm-linode-clusterrolebinding
roleRef:
apiGroup: <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
kind: ClusterRole
name: ccm-linode-clusterrole
subjects:
- kind: ServiceAccount
name: ccm-linode
namespace: kube-system
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: ccm-linode
labels:
app: ccm-linode
namespace: kube-system
spec:
selector:
matchLabels:
app: ccm-linode
template:
metadata:
labels:
app: ccm-linode
spec:
serviceAccountName: ccm-linode
nodeSelector:
# The CCM will only run on a Node labelled as a master, you may want to change this
<http://node-role.kubernetes.io/master|node-role.kubernetes.io/master>: ""
tolerations:
# The CCM can run on Nodes tainted as masters
- key: "<http://node-role.kubernetes.io/master|node-role.kubernetes.io/master>"
effect: "NoSchedule"
# The CCM is a "critical addon"
- key: "CriticalAddonsOnly"
operator: "Exists"
# This taint is set on all Nodes when an external CCM is used
- key: <http://node.cloudprovider.kubernetes.io/uninitialized|node.cloudprovider.kubernetes.io/uninitialized>
value: "true"
effect: NoSchedule
- key: <http://node.kubernetes.io/not-ready|node.kubernetes.io/not-ready>
operator: Exists
effect: NoSchedule
- key: <http://node.kubernetes.io/unreachable|node.kubernetes.io/unreachable>
operator: Exists
effect: NoSchedule
hostNetwork: true
containers:
- image: linode/linode-cloud-controller-manager:latest
imagePullPolicy: Always
name: ccm-linode
args:
- --leader-elect-resource-lock=endpoints
- --v=3
- --port=0
- --secure-port=10253
volumeMounts:
- mountPath: /etc/kubernetes
name: k8s
env:
- name: LINODE_API_TOKEN
valueFrom:
secretKeyRef:
name: ccm-linode
key: apiToken
- name: LINODE_REGION
valueFrom:
secretKeyRef:
name: ccm-linode
key: region
volumes:
- name: k8s
hostPath:
path: /etc/kubernetes
chartValues:
rke2-calico: {}
etcd:
disableSnapshots: false
s3:
snapshotRetention: 5
snapshotScheduleCron: 0 */5 * * *
machineGlobalConfig:
cni: calico
disable-kube-proxy: false
etcd-expose-metrics: false
profile: null
machinePools:
- name: pool1
etcdRole: true
controlPlaneRole: true
workerRole: true
hostnamePrefix: ''
quantity: 1
unhealthyNodeTimeout: 0m
machineConfigRef:
kind: LinodeConfig
name: nc-test-pool1-gzwhp
labels: {}
machineSelectorConfig:
- config:
cloud-provider-name: external
protect-kernel-defaults: false
registries:
configs:
{}
mirrors:
{}
upgradeStrategy:
controlPlaneConcurrency: '1'
controlPlaneDrainOptions:
deleteEmptyDirData: true
disableEviction: false
enabled: false
force: false
gracePeriod: -1
ignoreDaemonSets: true
skipWaitForDeleteTimeoutSeconds: 0
timeout: 120
workerConcurrency: '1'
workerDrainOptions:
deleteEmptyDirData: true
disableEviction: false
enabled: false
force: false
gracePeriod: -1
ignoreDaemonSets: true
skipWaitForDeleteTimeoutSeconds: 0
timeout: 120
machineSelectorConfig:
- config: {}
__clone: true
What the exact error is, I can not currently determine, because I get no access to the cluster via the rancher ui yet.gorgeous-oyster-35026
01/03/2023, 1:59 PMgentle-eye-36337
01/03/2023, 4:46 PMfelixConfiguration.failsafeInboundHostPorts
so we can protect it with policies. I opened an issue here but wanted to know if I am overlooking something.square-policeman-85866
01/05/2023, 1:10 PMfuture-monitor-61871
01/05/2023, 5:13 PMsquare-policeman-85866
01/05/2023, 5:22 PMhandsome-monitor-68857
01/09/2023, 4:37 AMProvider: *RKE2*
Kubernetes Version: *v1.24.7*
creamy-pencil-82913
01/09/2023, 5:22 AMbright-farmer-78407
01/09/2023, 7:02 PMadorable-hairdresser-9976
01/10/2023, 12:16 AMboundless-eye-27124
01/10/2023, 1:03 AM