search

grafeas / kritis

Deploy-time Policy Enforcer for Kubernetes applications
https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md
Apache License 2.0
699 stars 135 forks source link

Helm install fails on k8s v1.19 #583

Open microhod opened 4 years ago

microhod commented 4 years ago

Expected Behavior

Following the standalone install doc, running setup-grafeas.sh and setup-kritis.sh installs correctly on all released k8s versions.

(I've tested and this does work on 1.17 and 1.18, so it seems the issue is limited to 1.19)

Actual Behavior

kritis-preinstall fails with the following log

time="2020-10-01T16:17:20Z" level=info msg="contents of /var/run/secrets/kubernetes.io/serviceaccount/namespace: default"
time="2020-10-01T16:17:20Z" level=info msg="running preinstall\nversion v0.2.2\ncommit: bea073f2a2f299af94363dc399b7780fde8f2afc"
Error from server (NotFound): certificatesigningrequests.certificates.k8s.io "tls-webhook-secret-cert" not found
Error from server (NotFound): secrets "tls-webhook-secret" not found
time="2020-10-01T16:17:21Z" level=info msg="[cfssl genkey -]"
time="2020-10-01T16:17:21Z" level=info msg="{\"csr\":\"-----BEGIN CERTIFICATE REQUEST-----...-----END CERTIFICATE REQUEST-----\\n\",\"key\":\"-----BEGIN EC PRIVATE KEY-----...-----END EC PRIVATE KEY-----\\n\"}\n"
time="2020-10-01T16:17:21Z" level=info msg="[cfssljson -bare server]"
time="2020-10-01T16:17:21Z" level=info
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
    name: tls-webhook-secret-cert
    labels:
        kritis.grafeas.io/install: ""
spec:
    groups:
    - system:authenticated
    request: <REDACTED>
    usages:
    - digital signature
    - key encipherment
    - server auth
time="2020-10-01T16:17:22Z" level=info msg="[kubectl apply -f -]"
time="2020-10-01T16:17:22Z" level=info msg="certificatesigningrequest.certificates.k8s.io/tls-webhook-secret-cert created\n"
time="2020-10-01T16:17:22Z" level=info msg="[kubectl certificate approve tls-webhook-secret-cert]"
time="2020-10-01T16:17:22Z" level=info msg="No resources found\n"
time="2020-10-01T16:17:22Z" level=error msg="error: no kind \"CertificateSigningRequest\" is registered for version \"certificates.k8s.io/v1\" in scheme \"k8s.io/kubectl/pkg/scheme/scheme.go:28\"\n"
time="2020-10-01T16:17:22Z" level=fatal msg="exit status 1"

Steps to Reproduce the Problem

Environment

FearTheBadger commented 3 years ago

CertificateSigningRequest changed in v1.19 in such a way that this process breaks.

https://v1-19.docs.kubernetes.io/docs/setup/release/notes/#api-change

The CertificateSigningRequest API is promoted to certificates.k8s.io/v1 with the following changes:

  • spec.signerName is now required, and requests for kubernetes.io/legacy-unknown are not allowed to be created via the certificates.k8s.io/v1 API

When you run the helm install ... it generates:


$ kubectl get csr
NAME                      AGE    SIGNERNAME                            REQUESTOR                                                              CONDITION
tls-webhook-secret-cert   75s    kubernetes.io/legacy-unknown          system:serviceaccount:kritis-charts:kritis-preinstall-serviceaccount   Pending
murthy-chelankuri commented 3 years ago

Any work around or fix available to install in k8s 1.19+ versions?

FearTheBadger commented 3 years ago

As far as I can tell, there are no workarounds. The areas in which these changes need to be made are in a compiled binary from an external (to this repo) code base, which I couldn't find.

jsbah commented 3 years ago

Yes, @aysylu , this is the issue.

aysylu commented 3 years ago

@jsbah thanks for confirming! @FearTheBadger @sriramachelankuri @microhod would the preference be to migrate everything on k8s 1.19+, or is there a need for the earlier versions support as well?

microhod commented 3 years ago

I think supporting v1.19+ would be fine. There's already 2 versions ahead of 1.19 now.

vikahl commented 3 years ago

Hi, running into the same issue trying to set up Grafeas and Kritis in standalone mode.

Are there any suggestions on how to fix this or which parts needs updating? I can spend some time, but a pointer where to start investigating would be great.

carlosbmg commented 3 years ago

Have someone found a solution to make this run in 1.19+ k8s versions? I'm running to the same problem.

I found out in the preinstall config (https://github.com/grafeas/kritis/blob/master/helm-hooks/preinstall/preinstall.go) there's the kind: CertificateSigningRequest. Is it possible to change this yaml definition to change 2 features:

  1. Update the apiVersion from v1beta1 to v1
  2. Add the signerName: kubernetes.io/kube-apiserver-client line in order to avoid the kubernetes.io/legacy-unknown as @FearTheBadger just mentioned it.

It'll look something like this.


kind: CertificateSigningRequest
metadata:
    name: {{ .Name }}
    labels:
        {{ .KritisInstallLabel }}: ""
spec:
    groups:
    - system:authenticated
    request: {{ .Certificate }}
    signerName: kubernetes.io/kube-apiserver-client
    usages:
    - digital signature
    - key encipherment
    - server auth```
Sud8 commented 2 years ago

@aysylu I am running into the same issue in K8s version 1.23.8. Any pointers to fix this?

Jayakumar6 commented 1 year ago

I am also facing the same issue when i am trying to run setup.kritis.sh

time="2023-06-07T10:21:06Z" level=info msg="contents of /var/run/secrets/kubernetes.io/serviceaccount/namespace: default" time="2023-06-07T10:21:06Z" level=info msg="running preinstall\nversion v0.2.2\ncommit: bea073f2a2f299af94363dc399b7780fde8f2afc" Error from server (NotFound): certificatesigningrequests.certificates.k8s.io "tls-webhook-secret-cert" not found Error from server (NotFound): secrets "tls-webhook-secret" not found time="2023-06-07T10:21:06Z" level=info msg="[cfssl genkey -]" time="2023-06-07T10:21:06Z" level=info msg="{\"csr\":\"-----BEGIN CERTIFICATE REQUEST-----\nMIICFzCCAbwCAQAwADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIQWlnchveFp\nbomumlfLGWVvSFx1Pkc5fK4xwzXo22HW9LOAbtTkTHiIy2ynYSFncUKKlTZRHeUt\nipt6MmmFOLOgggFYMIIBVAYJKoZIhvcNAQkOMYIBRTCCAUEwggE9BgNVHREEggE0\nMIIBMIIWa3JpdGlzLXZhbGlkYXRpb24taG9va4Iia3JpdGlzLXZhbGlkYXRpb24t\naG9vay5rdWJlLXN5c3RlbYIea3JpdGlzLXZhbGlkYXRpb24taG9vay5kZWZhdWx0\ngiJrcml0aXMtdmFsaWRhdGlvbi1ob29rLmRlZmF1bHQuc3ZjgiJrcml0aXMtdmFs\naWRhdGlvbi1ob29rLWRlcGxveW1lbnRzgi5rcml0aXMtdmFsaWRhdGlvbi1ob29r\nLWRlcGxveW1lbnRzLmt1YmUtc3lzdGVtgiprcml0aXMtdmFsaWRhdGlvbi1ob29r\nLWRlcGxveW1lbnRzLmRlZmF1bHSCLmtyaXRpcy12YWxpZGF0aW9uLWhvb2stZGVw\nbG95bWVudHMuZGVmYXVsdC5zdmMwCgYIKoZIzj0EAwIDSQAwRgIhALby9z/hFeUP\nKVylXKiRbuHC0Efxd9bDNTlAvuWjgu8lAiEA7KhGLf4N+edWumVZ8YpLzt3Ta/gI\nv6RXoDdaBQufjbY=\n-----END CERTIFICATE REQUEST-----\n\",\"key\":\"-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIKt0lwdMxSyIIXGXOWcVgiYMRL+JhnJOGb6f+QmIUpYCoAoGCCqGSM49\nAwEHoUQDQgAEhBaWdyG94Wluia6aV8sZZW9IXHU+Rzl8rjHDNejbYdb0s4Bu1ORM\neIjLbKdhIWdxQoqVNlEd5S2Km3oyaYU4sw==\n-----END EC PRIVATE KEY-----\n\"}\n" time="2023-06-07T10:21:06Z" level=info msg="[cfssljson -bare server]" time="2023-06-07T10:21:06Z" level=info apiVersion: certificates.k8s.io/v1beta1 kind: CertificateSigningRequest metadata: name: tls-webhook-secret-cert labels: kritis.grafeas.io/install: "" spec: groups:

@aysylu Is there any proper documentation how to resolve this error..need this as soon as possible...i am unable to solve this issue..

Jayakumar6 commented 1 year ago

This pre-install pod is still failing in v1.19 minikube cluster..

I am using 1.23 version and i am not able to pass this pre-install stage..i can see that @judavi has worked around this issue but i am not able to get what exaclty to do to solve this issue in this docs.. Anyone know how to solve this issue..Is there any mistake in the configuration part from my end i am missing..i am not able to figure it out... @aysylu @Sud8 @carlosbmg