-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubelet no longer listening on read only port 10255 #128
Comments
Hey thanks for the PR and Issue. You are welcome to build an AMI with this setting configured, but the feature is deprecated: |
@micahhausler Unfortunately, it is a breaking change without any notice and major version change. It also contradicts your official Kubernetes dashboard documentation, where it still suggested to setup heapster with
For anyone who wants to fix dashboard deployment with minimal effort, apply this patch:
with following command:
And create role which will allow heapster to operate and bind it to heapster service account:
Solution was originally provided by @mrwulf. |
I wanted to provide a little more color in case anyone else comes by with the same issue we had. tl;dr Pull Request #90 introduced some unannounced breaking changes which conflicted with the defaults defined by the prometheus-operator helm chart. This resulted in alerts reporting that Kubelet and other core K8s components were down. As required to avoid deprecation issues, EKS moved from using kubelet's command line arguments to a config file. However, the default values used in the file-based configuration are actually different. From the kubectl docs:
This resulted in a change to the value of kubelet's ReadOnlyPort, from the default of By default, the Helm Chart for Prometheus Operator uses the ReadOnlyPort (aka http-metrics) to scrape various metrics. To fix, we set |
For future googlers, I managed to find a workaround for the prometheus-operator that doesn't require rebuilding the AMI: prometheus-operator/prometheus-operator#867 (comment) It uses relabelling to request metrics via the main k8s proxy, rather than attempting to go to the kubelet. The main benefit is that you don't have to edit the EKS AMI to change the authentication settings. The downside is more load on the proxy. |
@tklovett thanks for the summary of this issue - much appreciated |
So in other words i understand deprecation of kubelet flags what i dont understand that anyone responsible for PR#90 did not make sure defaults are the same and if not - provide them in config file |
For me easiest option for now was to add --read-only-port=10255 argument to bootstrap.sh in Launch Configuration user-data, shame i have to rebootstrap all my clusters...................... again |
This is what worked for me on the latest EKS optimized AMI. |
Based on my read of the issues @micahhausler linked to, @tklovett's response above is correct, and that we should not try to force a read-only port. It looks like the reason for the change in the first place is that the K8s maintainers wanted to deprecate the read-only port for security reasons. Setting |
Find what port your kubelet endpoint is using and if it is HTTPS or HTTP For Prometheus for EKS 1.19 it is using https, I made it work with this change in values.yaml for prometheus helmcharts
|
Hello there, |
What happened:
I have an EKS 1.10 cluster with worker nodes running 1.10.3 and everything is great. I decided to create a new worker group today with the 1.10.11 ami. Everything is great except it seems the kubelet on the 1.10.11 nodes is no longer listening on the read only port 10255. I verified this with
netstat -l
as well aslsof -p $kubelet_pid | grep -i listen
. I also verified injournalctl -u kubelet
that it does not even attempt to listen on port 10255.I manually modified
/etc/systemd/system/kubelet.service
and added--read-only-port 10255
and that fixes it, but I thought 10255 was the default and didn't need to be set. I verified that on my 1.10.3 workers,--read-only-port
is not set, but kubelet is indeed listening on 10255.I noticed that in 1.10.11 kubelet loads its configuration from a file instead of all from flags. My guess is that this transition somehow changes the default values. I dug around a bit in the kubelet code to figure out how defaults are determined, but am coming up short so far.
What you expected to happen:
kubelet to listen on the read only port 10255
How to reproduce it (as minimally and precisely as possible):
I think if you just start up a 1.10.11 worker node, you can see it by running something like
curl localhost:10255/stats/summary
Anything else we need to know?:
Environment:
aws eks describe-cluster --name <name> --query cluster.platformVersion
): eks.3aws eks describe-cluster --name <name> --query cluster.version
): 1.10uname -a
): Linux REDACTED 4.14.77-81.59.amzn2.x86_64 Template is missing source_ami_id in the variables section #1 SMP Mon Nov 12 21:32:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linuxcat /tmp/release
on a node): file does not existThe text was updated successfully, but these errors were encountered: