Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeAPIServer authorizationMode still requires adding Node,RBAC on k8s 1.19.x #11014

Closed
gamer22026 opened this issue Mar 11, 2021 · 5 comments · Fixed by #11127
Closed

kubeAPIServer authorizationMode still requires adding Node,RBAC on k8s 1.19.x #11014

gamer22026 opened this issue Mar 11, 2021 · 5 comments · Fixed by #11127
Labels
blocks-next

Comments

@gamer22026
Copy link

1. What kops version are you running? The command kops version, will display
this information.
1.19.1
2. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.
1.19.8
3. What cloud provider are you using?
AWS
4. What commands did you run? What is the simplest way to reproduce this issue?
rolling update from k8s 1.18.13 to 1.19.8
5. What happened after the commands executed?
First master node didn't come up
6. What did you expect to happen?
First master node comes up
7. Anything else do we need to know?
Issue was

  kubeAPIServer:
     authorizationMode: RBAC

had to be changed to

  kubeAPIServer:
     authorizationMode: Node,RBAC

The rolling update then worked. This slack thread ( https://kubernetes.slack.com/archives/C3QUFP0QM/p1614880910266900?thread_ts=1614872952.265000&cid=C3QUFP0QM ) indicates that for k8s >= 1.19 Node should be auto-included per https://github.com/kubernetes/kops/blob/master/pkg/model/components/apiserver.go#L89 but that's clearly not happening.
This was referenced Mar 16, 2021
Closed
Closed
@rifelpet
Copy link
Member

@gamer22026 can you post your full cluster spec? I'm curious what the spec.authorization field contains.

@microwaves
Copy link

Facing the same problem with our cluster here. But Node is already in place in the authorizationMode config. 2 of the 3 masters come up, the last complains about:

NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized

Any thoughts?

@olemarkus olemarkus mentioned this issue Mar 24, 2021
Merged
@tuapuikia
Copy link

Facing the same problem with our cluster here. But Node is already in place in the authorizationMode config. 2 of the 3 masters come up, the last complains about:

NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized

Any thoughts?

I have the same problem when bootstrap new cluster using kops 1.21.0

@olemarkus
Copy link
Member

Can you open a new issue and post the cluster spec there?

@thienchuong
Copy link

Facing the same problem with our cluster here. But Node is already in place in the authorizationMode config. 2 of the 3 masters come up, the last complains about:

NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized

Any thoughts?

I have exactly the same issue, did you fix it, and how

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocks-next
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Validate that kube-apiserver has the necessary authz modes set olemarkus/kops
7 participants
@olemarkus @microwaves @rifelpet @hakman @tuapuikia @gamer22026 @thienchuong