I am working on setting up a new Kubernetes cluster using the CoreOS documentation. This one uses the CoreOS v1.6.1 image. I am following this documentation from link CoreOS Master setup. I looked in the journalctl logs and I see that the kubeapi-server seems to exit and restart.
The following is a journalctl log indicating on the kube-apiserver :
checking backoff for container "kube-apiserver" in pod "kube-apiserver-10.138.192.31_kube-system(16c7e04edcd7e775efadd4bdcb1940c4)"
Back-off 5m0s restarting failed container=kube-apiserver pod=kube-apiserver-10.138.192.31_kube-system(16c7e04edcd7e775efadd4bdcb1940c4)
Error syncing pod 16c7e04edcd7e775efadd4bdcb1940c4 ("kube-apiserver-10.138.192.31_kube-system(16c7e04edcd7e775efadd4bdcb1940c4)"), skipping: failed to "StartContainer" for "kube-apiserver" with CrashLoopBackOff: "Back-off 5m0s restarting failed container=kube-apiserver pod=kube-apiserver-10.138.192.31_kube-system(16c7e04edcd7e775efadd4bdcb1940c4)"
I am wondering if it's because I need to start the new etcd3 version instead of the etcd2? Any hints or suggestion is appreciated.
The following is my cloud-config:
coreos:
etcd2:
# generate a new token for each unique cluster from https://discovery.etcd.io/new:
discovery: https://discovery.etcd.io/33e3f7c20be0b57daac4d14d478841b4
# multi-region deployments, multi-cloud deployments, and Droplets without
# private networking need to use $public_ipv4:
advertise-client-urls: http://$private_ipv4:2379,http://$private_ipv4:4001
initial-advertise-peer-urls: http://$private_ipv4:2380
# listen on the official ports 2379, 2380 and one legacy port 4001:
listen-client-urls: http://0.0.0.0:2379,http://0.0.0.0:4001
listen-peer-urls: http://$private_ipv4:2380
fleet:
public-ip: $private_ipv4 # used for fleetctl ssh command
units:
- name: etcd2.service
command: start
However, I have tried with CoreOS v1.5 images and they work fine. It's the CoreOS v1.6 images that I am not able to get the kube-apiserver running for some reason.
You use etcd2, so you need to pass the flag '--storage-backend=etcd2' to your kube-apiserver in your manifest.
You are using etcd2, I think maybe you can try etcd3.
You said:
I am wondering if it's because I need to start the new etcd3 version instead of the etcd2? Any hints or suggestion is appreciated.
I would like to recommend that you can read this doc to learn how to upgrade the etcd.
Related
Hope someone can help me.
To describe the situation in short, I have a self managed k8s cluster, running on 3 machines (1 master, 2 worker nodes). In order to make it HA, I attempted to add a second master to the cluster.
After some failed attempts, I found out that I needed to add controlPlaneEndpoint configuration to kubeadm-config config map. So I did, with masternodeHostname:6443.
I generated the certificate and join command for the second master, and after running it on the second master machine, it failed with
error execution phase control-plane-join/etcd: error creating local etcd static pod manifest file: timeout waiting for etcd cluster to be available
Checking the first master now, I get connection refused for the IP on port 6443. So I cannot run any kubectl commands.
Tried recreating the .kube folder, with all the config copied there, no luck.
Restarted kubelet, docker.
The containers running on the cluster seem ok, but I am locked out of any cluster configuration (dashboard is down, kubectl commands not working).
Is there any way I make it work again? Not losing any of the configuration or the deployments already present?
Thanks! Sorry if itβs a noob question.
Cluster information:
Kubernetes version: 1.15.3
Cloud being used: (put bare-metal if not on a public cloud) bare-metal
Installation method: kubeadm
Host OS: RHEL 7
CNI and version: weave 0.3.0
CRI and version: containerd 1.2.6
This is an old, known problem with Kubernetes 1.15 [1,2].
It is caused by short etcd timeout period. As far as I'm aware it is a hard coded value in source, and cannot be changed (feature request to make it configurable is open for version 1.22).
Your best bet would be to upgrade to a newer version, and recreate your cluster.
I am beginner in kubernetes and I'm trying to set up my first cluster , my worker node has joined to my cluster successfully but when I run kubectl get nodes it is in NotReady status .
and this massesge exists when I run
kubectl describe node k8s-node-1
runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized
I have run this command to install a a Pod network add-on:
kubectl apply -f https://docs.projectcalico.org/v3.14/manifests/calico.yaml
how can I solve this issue?
Adding this answer as community wiki for better visibility. OP already solved the problem with rebooting the machine.
Worth to remember that going thru all the steps with bootstrapping cluster and installing all the prerequisites will make your cluster running successfully . If you had any previous installations please remember to perform kubeadm reset and remove .kube folder from the home or root directory.
I`m also linking this github case with the same issue whereas people provide solution for this problem.
I'm trying to install Istio 1.13.1 on Kubernetes 1.13.5 deployed on minikube 1.0.0 but I get some errors in the end. Here is log of the installation:
$ minikube start --memory=4096 --disk-size=30g --kubernetes-version=v1.13.5 --profile=istio
π minikube v1.0.0 on darwin (amd64)
π€Ή Downloading Kubernetes v1.13.5 images in the background ...
π₯ Creating virtualbox VM (CPUs=2, Memory=4096MB, Disk=30000MB) ...
2019/04/19 19:51:56 No matching credentials were found, falling back on anonymous
2019/04/19 19:51:56 No matching credentials were found, falling back on anonymous
2019/04/19 19:51:56 No matching credentials were found, falling back on anonymous
2019/04/19 19:51:56 No matching credentials were found, falling back on anonymous
πΆ "istio" IP address is 192.168.99.104
π³ Configuring Docker as the container runtime ...
π³ Version of container runtime is 18.06.2-ce
β Waiting for image downloads to complete ...
β¨ Preparing Kubernetes environment ...
πΎ Downloading kubeadm v1.13.5
πΎ Downloading kubelet v1.13.5
π Pulling images required by Kubernetes v1.13.5 ...
π Launching Kubernetes v1.13.5 using kubeadm ...
β Waiting for pods: apiserver proxy etcd scheduler controller dns
π Configuring cluster permissions ...
π€ Verifying component health .....
π kubectl is now configured to use "istio"
π Done! Thank you for using minikube!
$ ./bin/istioctl version
version.BuildInfo{Version:"1.1.3", GitRevision:"d19179769183541c5db473ae8d062ca899abb3be", User:"root", Host:"fbd493e1-5d72-11e9-b00d-0a580a2c0205", GolangVersion:"go1.10.4", DockerHub:"docker.io/istio", BuildStatus:"Clean", GitTag:"1.1.2-56-gd191797"}
$ kubectl create -f install/kubernetes/istio-demo.yaml
namespace/istio-system created
customresourcedefinition.apiextensions.k8s.io/virtualservices.networking.istio.io created
customresourcedefinition.apiextensions.k8s.io/destinationrules.networking.istio.io created
customresourcedefinition.apiextensions.k8s.io/serviceentries.networking.istio.io created
customresourcedefinition.apiextensions.k8s.io/gateways.networking.istio.io created
customresourcedefinition.apiextensions.k8s.io/envoyfilters.networking.istio.io created
customresourcedefinition.apiextensions.k8s.io/clusterrbacconfigs.rbac.istio.io created
customresourcedefinition.apiextensions.k8s.io/policies.authentication.istio.io created
customresourcedefinition.apiextensions.k8s.io/meshpolicies.authentication.istio.io created
customresourcedefinition.apiextensions.k8s.io/httpapispecbindings.config.istio.io created
customresourcedefinition.apiextensions.k8s.io/httpapispecs.config.istio.io created
customresourcedefinition.apiextensions.k8s.io/quotaspecbindings.config.istio.io created
customresourcedefinition.apiextensions.k8s.io/quotaspecs.config.istio.io created
customresourcedefinition.apiextensions.k8s.io/rules.config.istio.io created
customresourcedefinition.apiextensions.k8s.io/attributemanifests.config.istio.io created
...
unable to recognize "install/kubernetes/istio-demo.yaml": no matches for kind "attributemanifest" in version "config.istio.io/v1alpha2"
unable to recognize "install/kubernetes/istio-demo.yaml": no matches for kind "attributemanifest" in version
That seems strange as the CRDs seem to have been created successfully but then when they are referenced to create some objects whose type is one of these CRDs then it fails.
I omitted other errors but that happens also for "handler", "logentry", "rule", "metric", "kubernetes", "DestinationRule"
.
On the documentation page https://istio.io/docs/setup/kubernetes/, it is stated that
Istio 1.1 has been tested with these Kubernetes releases: 1.11, 1.12, 1.13.
Does anyone have an idea ?
In the docs there is a step to execute CRDs init. I don't see that in your snippet, seems like that's what you're missing.
So:
$ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done
Your missing CRD seems to be defined in this exact file: https://github.com/istio/istio/blob/master/install/kubernetes/helm/istio-init/files/crd-10.yaml but you should install all of them.
My bad, it seems that I have skipped the first step:
Install all the Istio Custom Resource Definitions (CRDs) using kubectl apply, and wait a few seconds for the CRDs to be committed in the Kubernetes API-server:
$ for i in install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done
I am trying to implement auditing policy
My yaml
~/.minikube/addons$ cat audit-policy.yaml
# Log all requests at the Metadata level.
apiVersion: audit.k8s.io/v1beta1
kind: Policy
rules:
- level: Metadata
Pods got stuck
minikube start --extra-config=apiserver.Authorization.Mode=RBAC --extra-config=apiserver.Audit.LogOptions.Path=/var/logs/audit.log --extra-config=apiserver.Audit.PolicyFile=/etc/kubernetes/addons/audit-policy.yaml
π minikube v0.35.0 on linux (amd64)
π‘ Tip: Use 'minikube start -p <name>' to create a new cluster, or 'minikube delete' to delete this one.
π Restarting existing virtualbox VM for "minikube" ...
β Waiting for SSH access ...
πΆ "minikube" IP address is 192.168.99.101
π³ Configuring Docker as the container runtime ...
β¨ Preparing Kubernetes environment ...
βͺ apiserver.Authorization.Mode=RBAC
βͺ apiserver.Audit.LogOptions.Path=/var/logs/audit.log
βͺ apiserver.Audit.PolicyFile=/etc/kubernetes/addons/audit-policy.yaml
π Pulling images required by Kubernetes v1.13.4 ...
π Relaunching Kubernetes v1.13.4 using kubeadm ...
β Waiting for pods: apiserver
Why?
I can do this
minkub start
Then I go for minikube ssh
$ sudo bash
$ cd /var/logs
bash: cd: /var/logs: No such file or directory
ls
cache empty lib lock log run spool tmp
How to apply extra-config?
I don't have good news. Although you made some mistakes with the /var/logs it does not matter in this case, as there seems to be no way of implement auditing policy in Minikube (I mean there is, few ways at least but they all seem to fail).
You can try couple of ways presented in GitHub issues and other links I will provide, but I tried probably all of them and they do not work with current Minikube version. You might try to make this work with earlier versions maybe, as it seems like at some point it was possible with the way you have provided in your question, but as for now in the updated version it is not. Anyway I have spend some time on trying the ways from the links and couple of my own ideas but no success, maybe you will be able to find the missing piece.
You can find more information in this documents:
Audit Logfile Not Created
Service Accounts and Auditing in Kubernetes
fails with -extra-config=apiserver.authorization-mode=RBAC and audit logging: timed out waiting for kube-proxy
How do I enable an audit log on minikube?
Enable Advanced Auditing Webhook Backend Configuration
I am setting up Kubernetes with flannel following the instructions from
https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/getting-started-guides/centos/centos_manual_config.md
http://www.severalnines.com/blog/installing-kubernetes-cluster-minions-centos7-manage-pods-services
I am blocked at the following two steps, and unable to locate troubleshooting steps. I am running this on master node.
kubectl get minions
Error: Get http://localhost:8080/api/v1beta3/minions: dial tcp 127.0.0.1:8080: connection refused
Is this related to to the flannel network or should it give the minion information on the master node.
etcdctl mk /coreos.com/network/config '{"Network":"172.17.0.0/16"}'
Error: cannot sync with the cluster using endpoints http://127.0.0.1:4001, http://127.0.0.1:2379
Where is the port 2379 specified and how do I troubleshoot the sync step to work ?
It looks like you have an issue with ETCD. Are you sure you have ETCD cluster up and running? How did you configure your ETCD cluster?
Some time ago Minions were renamed to Nodes, so you should use kubectl get nodes instead.
Both the errors went away when I restarted the etcd service
sudo systemctl start etcd
systemctl status etcd
Active: active (running)
I am now not getting the errors.
However, the command > >kubectl get minions
is not giving any output. I am looking for way to debug this, as I am expecting it to list two other nodes.
I followed the steps with a clean machine, and got it working.