Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kube-apiserver doesn't correctly apply /etc/kubernetes/manifests/kube-apiserver.yaml #122586

Closed
Reyadeyat opened this issue Jan 4, 2024 · 5 comments
Closed

kube-apiserver doesn't correctly apply /etc/kubernetes/manifests/kube-apiserver.yaml #122586

Reyadeyat opened this issue Jan 4, 2024 · 5 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/support Categorizes issue or PR as a support question. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@Reyadeyat
Copy link

What happened?

kube-apiserver complains about missing parameters not exist while being set correctly upon intial installation on /etc/kubernetes/manifests/kube-apiserver.yaml, -etc-kubernetes-manifests-kube-apiserver.yaml.txt

$kube-apiserver
W0104 17:23:45.519496 30064 services.go:37] No CIDR for service cluster IPs specified. Default value which was 10.0.0.0/24 is deprecated and will be removed in future releases. Please specify it using --service-cluster-ip-range on kube-apiserver.
I0104 17:23:45.519693 30064 server.go:554] external host was not specified, using 192.168.0.214
W0104 17:23:45.519698 30064 authentication.go:525] AnonymousAuth is not allowed with the AlwaysAllow authorizer. Resetting AnonymousAuth to false. You should use a different authorizer
E0104 17:23:45.519889 30064 run.go:74] "command failed" err="[--etcd-servers must be specified, service-account-issuer is a required flag, --service-account-signing-key-file and --service-account-issuer are required flags]"

What did you expect to happen?

kub-apiserver shall apply yaml configurations correctly but not happens!

How can we reproduce it (as minimally and precisely as possible)?

Fedora 39 Linux localhost.localdomain 6.6.8-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 21 04:01:49 UTC 2023 x86_64 GNU/Linux

sudo dnf install git go firewalld iptables iproute-tc cri-o containernetworking-plugins kubernetes-master kubernetes-client kubernetes-node kubernetes-kubeadm

Anything else we need to know?

is there a work around or stable working version

Kubernetes version

$ kubectl version
kubectl version --output=yaml
clientVersion:
  buildDate: "2023-12-20T00:00:00Z"
  compiler: gc
  gitCommit: d15213f69952c79b317e635abff6ff4ec81475f8
  gitTreeState: archive
  gitVersion: v1.27.9
  goVersion: go1.21.5
  major: "1"
  minor: "27"
  platform: linux/amd64
kustomizeVersion: v5.0.1

The connection to the server localhost:8080 was refused - did you specify the right host or port?

Cloud provider

OS version

# On Linux:
$ cat /etc/os-release
NAME="Fedora Linux"
VERSION="39 (Server Edition)"
ID=fedora
VERSION_ID=39
VERSION_CODENAME=""
PLATFORM_ID="platform:f39"
PRETTY_NAME="Fedora Linux 39 (Server Edition)"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:39"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f39/system-administrators-guide/"
SUPPORT_URL="https://ask.fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=39
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=39
SUPPORT_END=2024-11-12
VARIANT="Server Edition"
VARIANT_ID=server
$ uname -a
Linux localhost.localdomain 6.6.8-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 21 04:01:49 UTC 2023 x86_64 GNU/Linux

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

$sudo dnf install git go firewalld iptables iproute-tc cri-o containernetworking-plugins kubernetes-master kubernetes-client kubernetes-node kubernetes-kubeadm

Last metadata expiration check: 1:17:08 ago on Thu 04 Jan 2024 04:28:19 PM EET.
Package git-2.43.0-1.fc39.x86_64 is already installed.
Package golang-1.21.5-1.fc39.x86_64 is already installed.
Package firewalld-2.0.2-1.fc39.noarch is already installed.
Package iptables-nft-1.8.9-5.fc39.x86_64 is already installed.
Package iproute-tc-6.4.0-2.fc39.x86_64 is already installed.
Package cri-o-1.27.2-2.fc39.x86_64 is already installed.
Package containernetworking-plugins-1.3.0-3.fc39.x86_64 is already installed.
Package kubernetes-master-1.27.9-1.fc39.x86_64 is already installed.
Package kubernetes-client-1.27.9-1.fc39.x86_64 is already installed.
Package kubernetes-node-1.27.9-1.fc39.x86_64 is already installed.
Package kubernetes-kubeadm-1.27.9-1.fc39.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

Container runtime (CRI) and version (if applicable)

$crio --version crio version 1.27.2 Version: 1.27.2 GitCommit: unknown GitCommitDate: unknown GitTreeState: clean GoVersion: go1.21.4 Compiler: gc Platform: linux/amd64 Linkmode: dynamic BuildTags: rpm_crashtraceback seccomp selinux LDFlags: -X github.com/cri-o/cri-o/version=1.27.2 -B 0xc72bf2ae30fdb0b6d2150587804157413ef2e444 -compressdwarf=false -linkmode=external -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes ' SeccompEnabled: true AppArmorEnabled: false

Related plugins (CNI, CSI, ...) and versions (if applicable)
@Reyadeyat Reyadeyat added the kind/bug Categorizes issue or PR as related to a bug. label Jan 4, 2024
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jan 4, 2024
@k8s-ci-robot
Copy link
Contributor

There are no sig labels on this issue. Please add an appropriate label by using one of the following commands:

  • /sig <group-name>
  • /wg <group-name>
  • /committee <group-name>

Please see the group list for a listing of the SIGs, working groups, and committees available.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jan 4, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@neolit123
Copy link
Member

kubeadm by default deploys this manifest file and it works fine, your seems to be missing important flags:

    - kube-apiserver
    - --advertise-address=10.0.2.15
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-issuer=https://kubernetes.default.svc.cluster.local
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    image: registry.k8s.io/kube-apiserver:v1.29.0

but better ask for help on the support channels, we do not provide support on github!
please see:
https://git.k8s.io/kubernetes/SUPPORT.md

/kind support
/close

@k8s-ci-robot k8s-ci-robot added the kind/support Categorizes issue or PR as a support question. label Jan 4, 2024
@k8s-ci-robot
Copy link
Contributor

@neolit123: Closing this issue.

In response to this:

kubeadm by default deploys this manifest file and it works fine, your seems to be missing important flags:

   - kube-apiserver
   - --advertise-address=10.0.2.15
   - --allow-privileged=true
   - --authorization-mode=Node,RBAC
   - --client-ca-file=/etc/kubernetes/pki/ca.crt
   - --enable-admission-plugins=NodeRestriction
   - --enable-bootstrap-token-auth=true
   - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
   - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
   - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
   - --etcd-servers=https://127.0.0.1:2379
   - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
   - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
   - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
   - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
   - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
   - --requestheader-allowed-names=front-proxy-client
   - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
   - --requestheader-extra-headers-prefix=X-Remote-Extra-
   - --requestheader-group-headers=X-Remote-Group
   - --requestheader-username-headers=X-Remote-User
   - --secure-port=6443
   - --service-account-issuer=https://kubernetes.default.svc.cluster.local
   - --service-account-key-file=/etc/kubernetes/pki/sa.pub
   - --service-account-signing-key-file=/etc/kubernetes/pki/sa.key
   - --service-cluster-ip-range=10.96.0.0/12
   - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
   - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
   image: registry.k8s.io/kube-apiserver:v1.29.0

but better ask for help on the support channels, we do not provide support on github!
please see:
https://git.k8s.io/kubernetes/SUPPORT.md

/kind support
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@neolit123
Copy link
Member

dicuss.k8s.io is a good place.
#kubeadm and #kubernetes-users on k8s slack are a alternative.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/support Categorizes issue or PR as a support question. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neolit123 @k8s-ci-robot @Reyadeyat