search

istio / old_issues_repo

Deprecated issue-tracking repo, please post new issues or feature requests to istio/istio instead.
36 stars 9 forks source link

Istio release-0.8-20180520-18-17 pods in CrashLoopBackOff #354

Closed deewhyweb closed 6 years ago

deewhyweb commented 6 years ago

As part of Istio 0.8 community testing I'm installing istio-release-0.8-20180520-18-17 on Openshift 3.9.27 (kubernetes v v1.9.1+a0ce1bc657)

I ran:

$ oc adm policy add-scc-to-user anyuid -z istio-ingress-service-account -n istio-system
$ oc adm policy add-scc-to-user anyuid -z default -n istio-system
$ oc adm policy add-scc-to-user anyuid -z grafana -n istio-system
$ oc adm policy add-scc-to-user anyuid -z prometheus -n istio-system

Then 

oc apply -f install/kubernetes/istio-demo.yaml

When I view the pods in the istio-system project I see

NAME                                        READY     STATUS             RESTARTS   AGE
grafana-6677f7789b-gfcgj                    1/1       Running            0          14m
istio-citadel-64c9df88bc-lnvn2              1/1       Running            0          13m
istio-egressgateway-84b789fc-8r6gf          0/1       CrashLoopBackOff   7          14m
istio-ingressgateway-7595bdb4bf-j5xqq       0/1       CrashLoopBackOff   6          14m
istio-mixer-create-cr-znr56                 1/1       Running            0          12m
istio-pilot-7ff65fbb95-tm9gs                1/2       CrashLoopBackOff   6          13m
istio-policy-7b5464464f-qvv8j               1/2       CrashLoopBackOff   6          13m
istio-sidecar-injector-6f68b9d546-55zcp     0/1       CrashLoopBackOff   6          12m
istio-statsd-prom-bridge-6dbb7dcc7f-gvprp   1/1       Running            0          15m
istio-telemetry-676f5f5f65-97kcs            1/2       CrashLoopBackOff   6          13m
prometheus-586d95b8d9-r4nn2                 1/1       Running            0          13m
servicegraph-55bd899fd-mw95d                1/1       Running            0          12m

Looking at the logs for the istio-proxy in the istio-pilot pod, I see the following error.

2018-05-24T19:27:53.794344Z error open /etc/istio/proxy/envoy.yaml: permission denied Error: open /etc/istio/proxy/envoy.yaml: permission denied

ymesika commented 6 years ago

Still happening with istio-release-0.8-20180524-09-15?

deewhyweb commented 6 years ago

I'll try again and report back

johnfosborneiii commented 6 years ago

In Istio 0.8 there are a lot of new service accounts so you need to add a lot more anyuid permissions. If you run this it will work: oc adm policy add-scc-to-user anyuid -z istio-egressgateway-service-account -n istio-system oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account -n istio-system oc adm policy add-scc-to-user anyuid -z istio-ingressgateway-service-account -n istio-system oc adm policy add-scc-to-user anyuid -z istio-cleanup-old-ca-service-account -n istio-system oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account -n istio-system oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account -n istio-system oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account -n istio-system oc adm policy add-scc-to-user anyuid -z istio-sidecar-injector-service-account -n istio-system

Can we update the documentation?

mattmi88 commented 6 years ago

I can confirm that this suggestion worked. And I used the helm install method with Istio 0.8 on OpenShift 3.9.0 running in Minishift 1.15.1. This definitely needs to be added to the Kubernetes Quick Start doc in the OpenShift Origin section.

ymesika commented 6 years ago

Thanks @johnfosborneiii We will update the OpenShift doc accordingly.

ymesika commented 6 years ago

All, while updating the doc, I was wondering whether the following command is really necessary?

oc adm policy add-scc-to-user anyuid -z default -n istio-system
ymesika commented 6 years ago

Doc updated. Thanks guys. /close

istio-testing commented 6 years ago

@ymesika: you can't close an active issue unless you authored it or you are assigned to it, Assigning you to the issue failed..

In response to [this](https://github.com/istio/issues/issues/354#issuecomment-395545198): >Doc updated. Thanks guys. >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.
malagant commented 6 years ago

In addition to @johnfosborneiii list of policy settings. The current version needs also:

oc adm policy add-scc-to-user anyuid -z istio-galley-service-account -n istio-system

So that the complete list would be:

oc adm policy add-scc-to-user anyuid -z istio-egressgateway-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-citadel-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-ingressgateway-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-cleanup-old-ca-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-mixer-post-install-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-mixer-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-pilot-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-sidecar-injector-service-account -n istio-system
oc adm policy add-scc-to-user anyuid -z istio-galley-service-account -n istio-system