Open ktun95 opened 1 month ago
When creating a cluster using kops
version v1.27.0 and subsequently exporting the kubeconfig with kops export kubeconfig
in kops version v1.27.1, the following warning is received:
W0808 18:00:14.284101 88876 create_kubecfg.go:69] Did not find API endpoint; may not be able to reach cluster
As a result, any commands attempting to access the cluster fail because kubectl
cannot resolve the exported address.
Attempting to run kops validate cluster
results in the following error:
Error: validation failed: unexpected error during validation: error listing nodes: Get "https://api.dicty-playground.k8s.local/api/v1/nodes": dial tcp: lookup api.dicty-playground.k8s.local on 192.168.50.1:53: no such host
Use direnv
to manage environmental variables. Create a .envrc
file with the following content:
export KOPS_CLUSTER_NAME=dicty-playground.k8s.local
export KOPS_STATE_STORE=gs://kops-kubernetes-state-playground
export KUBECONFIG="${PWD}/.kube/config"
export GOOGLE_APPLICATION_CREDENTIALS=${PWD}/credentials/dcr-kube-admin-key.json
Use asdf
for version management:
> asdf install kops v1.27.0
> asdf local kops v1.27.0
Run the following command to create the cluster:
> kops create cluster --zones us-central1-a
Immediately after creation, run the cluster update:
> kops update cluster --yes --admin
Note: The --admin
flag exports an admin user credential to the kubeconfig and adds it to the cluster context.
Install and set the local version to v1.27.1:
> asdf install kops v1.27.1
> asdf local kops v1.27.1
> kops version
Client version: 1.27.1 (git-v1.27.1)
Run the following command to export the kubeconfig:
> kops export kubeconfig --admin
The output includes:
I0808 20:24:48.139586 118795 gce_cloud.go:132] Will load GOOGLE_APPLICATION_CREDENTIALS from /home/faceless/Projects/playground-cluster-access/credentials/dcr-kube-admin-key.json
W0808 20:24:49.364651 118795 create_kubecfg.go:69] Did not find API endpoint; may not be able to reach cluster
kOps has set your kubectl context to dicty-playground.k8s.local
Run the following command to validate the cluster:
> kops validate cluster
The output returns the same error as before.
The expected output when running kops validate cluster
should be:
INSTANCE GROUPS
NAME ROLE MACHINETYPE MIN MAX SUBNETS
control-plane-us-central1-a ControlPlane e2-medium 1 1 us-central1
nodes-us-central1-a Node e2-medium 1 1 us-central1
NODE STATUS
NAME ROLE READY
control-plane-us-central1-a-n2qx control-plane True
nodes-us-central1-a-jwhg node True
Your cluster dicty-playground.k8s.local is ready
Simply running kops update cluster --yes
on kops v1.27.1
should add the necessary label to the forwarding rules:
> kops update cluster --yes
After running this command, the appropriate label is added to the Forwarding Rule. You can verify this with:
> gcloud compute forwarding-rules describe api-dicty-playground-k8s-local
You should see an output similar to:
IPAddress: 34.171.238.68
IPProtocol: TCP
creationTimestamp: '2024-08-08T16:59:30.089-07:00'
labels:
k8s-io-cluster-name: dicty-playground-k8s-local
After updating, validate the cluster again:
> kops validate cluster
Alternatively, you can manually add a label to the forwarding rule associated with the cluster:
> gcloud compute forwarding-rules update api-dicty-playground-k8s-local --update-labels=k8s-io-cluster-name=dicty-playground-k8s-local
After updating the label, re-export the kubeconfig:
> kops export kubeconfig --admin
Then, validate the cluster again:
> kops validate cluster
In version v1.27.0, the IP address exported to the kubeconfig comes from a Forwarding Rule resource in Google Cloud. The function that retrieves the Forwarding Rules checks for the presence of an IPAddress property and adds it to the list. However, in version v1.27.1 and beyond, a new check was introduced to ensure that the Forwarding Rule has a label with the key k8s-io-cluster-name
. If the label is missing or does not match the cluster name, the IPAddress is not added to the list, resulting in an unresolved address in the kubeconfig.
A related bug occurs when multiple clusters with their own associated Forwarding Rules are created using kops v1.27.0
. Running kops export kubeconfig
for a single cluster may retrieve IP Addresses for multiple clusters, potentially setting the server
for the kubeconfig to the IP Address of the wrong cluster.
This issue is addressed in upcoming versions of kops
(1.28 and beyond) by introducing labels for forwarding rules, which will provide a more robust identification method than the previous name-based approach.
For further details, refer to the following GitHub issues:
Bug description
When a cluster is created using
kops
version v1.27.0, and the kube config is subsequently exported withkops export kubeconfig
inkops
v1.27.1. The follow error is received:Any commands attempting to access the cluster fail because kubectl cannot resolve the exported address.
EXAMPLE: Attempting to run
kops validate cluster
results in:Reproduction
Use
direnv
to manage environmental variables.envrc:
Install kops version v1.27.0
Use asdf for version management
Create Cluster with kops v1.27.0
Running cluster update immediately after creation: "kops create cluster created the Cluster object & InstanceGroup object in our state store, but didn't actually create any instances or other cloud objects in GCE. To do that, we'll use kops update cluster." (https://kops.sigs.k8s.io/getting_started/gce/#creating-a-cluster)
note: The
--admin
flag exports an admin user credential to the kubeconfig and adds it to the cluster context.Upgrading kops v1.27.1
Re-export Kubeconfig
Attempting to Access Cluster
EXPECTED:
Solution 1 (Recommended)
Simply running
kops update cluster --yes
onkops v1.27.1
should add the necessary label to our forwarding rules:The appropriate label is now added to the Forwarding Rule
Solution 2
As described below, the solution involves adding a label for the Forwarding Rule associated with the Cluster.
The command above creates a label for the forwarding rule with the key
k8s-io-cluster-name
and a value derived from the cluster namedicty-playground-k8s-local
Verification
Check the forwarding rule associated with the cluster. Notice that the label I created is present in the Forwarding Rule
Re-export Kubeconfig
Accessing the Cluster
Now we can successfully access the cluster.
Issue Summary
In version v1.27.0, The IP address exported to our kubeconfig comes from a Forwarding Rule resource in Google Cloud. When running,
There is a function that
they added a check in the function that gets the Forwarding Rules. This check looks for a labels property for each Forwarding Rule listed. (https://cloud.google.com/compute/docs/labeling-resources)
Side Issue
There is a bug that is somewhat related to the primary issue above. It caused me some confusion in trying to reproduce the primary issue.
When we have multiple clusters with their own associated Forwarding Rules that were creating using
kops v1.27.0
, If we runkops export kubeconfig
, for a single cluster,kops
will get the IP Addresses for multiple clusters, and possibly set theserver
for our kubeconfig to the IP Address of the wrong cluster.https://github.com/kubernetes/kops/issues/15679
This issue is the reason for the need to add a label to our cluster forwarding rules in the first place:
https://github.com/kubernetes/kops/issues/15679#issuecomment-1694407503