Closed agentreno closed 3 years ago
Can you share the apiserver section of minikube logs
?
It seems that the apiserver may need more configuration than just this flag, as it's in a crashloop:
Jul 18 16:09:35 minikube kubelet[5844]: E0718 16:09:35.400126 5844 pod_workers.go:191] Error syncing pod 481d964192db3aaa66402a539639c968 ("kube-apiserver-minikube_kube-system(481d964192db3aaa66402a539639c968)"), skipping: failed to "StartContainer" for "kube-apiserver" with CrashLoopBackOff: "back-off 2m40s restarting failed container=kube-apiserver pod=kube-apiserver-minikube_kube-system(481d964192db3aaa66402a539639c968)"
Jul 18 16:09:38 minikube kubelet[5844]: E0718 16:09:38.437873 5844 pod_workers.go:191] Error syncing pod 8a9925b92c1bf68a9656aa86994b3aca ("kube-controller-manager-minikube_kube-system(8a9925b92c1bf68a9656aa86994b3aca)"), skipping: failed to "StartContainer" for "kube-controller-manager" with CrashLoopBackOff: "back-off 1m20s restarting failed container=kube-controller-manager pod=kube-controller-manager-minikube_kube-system(8a9925b92c1bf68a9656aa86994b3aca)"
FWIW, we should certainly surface a better error message here, but I won't know what that is without the apiserver logs.
Thanks for taking a look. Is this the right section of the logs? It looks like a usage message for the apiserver, like it's been given invalid arguments or something. After this it moves on to kube-controller-manager which generally fails to contact apiserver.
```shell
==> kube-apiserver [b7f5615b40f5] <==
api/all=true|false controls all API versions
api/ga=true|false controls all API versions of the form v[0-9]+
api/beta=true|false controls all API versions of the form v[0-9]+beta[0-9]+
api/alpha=true|false controls all API versions of the form v[0-9]+alpha[0-9]+
api/legacy is deprecated, and will be removed in a future version
Egress selector flags:
--egress-selector-config-file string File with apiserver egress selector configuration.
Admission flags:
--admission-control strings Admission is divided into two phases. In the first phase, only mutating admission plugins run. In the second phase, only validating admission plugins run. The names in the below list may represent a validating plugin, a mutating plugin, or both. The order of plugins in which they are passed to this flag does not matter. Comma-delimited list of: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodPreset, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. (DEPRECATED: Use --enable-admission-plugins or --disable-admission-plugins instead. Will be removed in a future version.)
--admission-control-config-file string File with admission control configuration.
--disable-admission-plugins strings admission plugins that should be disabled although they are in the default enabled plugins list (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodPreset, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.
--enable-admission-plugins strings admission plugins that should be enabled in addition to default enabled ones (NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, RuntimeClass, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota). Comma-delimited list of admission plugins: AlwaysAdmit, AlwaysDeny, AlwaysPullImages, CertificateApproval, CertificateSigning, CertificateSubjectRestriction, DefaultIngressClass, DefaultStorageClass, DefaultTolerationSeconds, DenyEscalatingExec, DenyExecOnPrivileged, EventRateLimit, ExtendedResourceToleration, ImagePolicyWebhook, LimitPodHardAntiAffinityTopology, LimitRanger, MutatingAdmissionWebhook, NamespaceAutoProvision, NamespaceExists, NamespaceLifecycle, NodeRestriction, OwnerReferencesPermissionEnforcement, PersistentVolumeClaimResize, PersistentVolumeLabel, PodNodeSelector, PodPreset, PodSecurityPolicy, PodTolerationRestriction, Priority, ResourceQuota, RuntimeClass, SecurityContextDeny, ServiceAccount, StorageObjectInUseProtection, TaintNodesByCondition, ValidatingAdmissionWebhook. The order of plugins in this flag does not matter.
Metrics flags:
--show-hidden-metrics-for-version string The previous version for which you want to show hidden metrics. Only the previous minor version is meaningful, other values will not be allowed. The format is
Thought maybe container status would also be helpful:
==> container status <==
CONTAINER IMAGE CREATED STATE NAME ATTEMPT POD ID
b7f5615b40f52 7e28efa976bd1 32 seconds ago Exited kube-apiserver 6 ccb375e34f80e
dec4c19261121 da26705ccb4b5 2 minutes ago Exited kube-controller-manager 5 1bc19600914ba
8084421c42296 76216c34ed0c7 6 minutes ago Running kube-scheduler 0 eb21b69fad7a7
7bb1f3ab426ce 303ce5db0e90d 6 minutes ago Running etcd 0 1a867ffafd0f8
Yeah, it would seem that whatever version of kube-apiserver in use doesn't accept the --token-auth-file
despite it definitely being there in documentation. That's not the only missing command line parameter in that usage text too.
Hey @agentreno were you able to resolve this issue? I'd suggest using a version of kubernetes that supports this flag, which you can specify via:
minikube start --kubernetes-version=vx.y.z
hi @priyawadhwa :) I'm using version 1.18.3, I struggled to find a better reference but I think this file on this branch means it's supported by apiserver in that release?
Tested again and still seeing the same issue and same log output with apiserver usage info printed. Did you manage to get token auth working on a particular kubernetes version this way?
@agentreno do you mind trying with v1.19.2 and see if that helps? the latest verison of minikube comes with kubernetes v.1.19
@medyagh Tried 1.19.2 and it still doesn't work.
Strange thing - when I started the minikube first it ran on K8s 1.16.15
(I haven't run minikube for a while - so some old version came from somewhere) and it started!:
minikube start --extra-config=apiserver.token-auth-file=tokens.csv
๐ minikube v1.13.1 on Darwin 10.15.6
๐ Kubernetes 1.19.2 is now available. If you would like to upgrade, specify: --kubernetes-version=v1.19.2
โจ Using the docker driver based on existing profile
๐ minikube 1.14.2 is available! Download it: https://github.com/kubernetes/minikube/releases/tag/v1.14.2
๐ก To disable this notice, run: 'minikube config set WantUpdateNotification false'
๐ Starting control plane node minikube in cluster minikube
๐ Restarting existing docker container for "minikube" ...
๐ณ Preparing Kubernetes v1.16.15 on Docker 19.03.8 ...
โช apiserver.token-auth-file=tokens.csv
๐ Verifying Kubernetes components...
๐ Enabled addons: default-storageclass, storage-provisioner
โ /usr/local/bin/kubectl is version 1.18.8, which may have incompatibilites with Kubernetes 1.16.15.
๐ก Want kubectl v1.16.15? Try 'minikube kubectl -- get pods -A'
๐ Done! kubectl is now configured to use "minikube" by default
Though when later I changed this to 1.19 and back to 1.16 - it stopped working :(
minikube delete
...
minikube start --extra-config=apiserver.token-auth-file=tokens.csv --kubernetes-version=v1.19.2
๐ minikube v1.13.1 on Darwin 10.15.6
โจ Automatically selected the docker driver. Other choices: hyperkit, virtualbox
๐ Starting control plane node minikube in cluster minikube
๐ฅ Creating docker container (CPUs=2, Memory=8100MB) ...
๐ณ Preparing Kubernetes v1.19.2 on Docker 19.03.8 ...
โช apiserver.token-auth-file=tokens.csv
๐ข initialization failed, will try again: ....
minikube delete
...
minikube start --extra-config=apiserver.token-auth-file=tokens.csv --kubernetes-version=v1.16.15
๐ minikube v1.13.1 on Darwin 10.15.6
โจ Automatically selected the docker driver. Other choices: hyperkit, virtualbox
๐ Starting control plane node minikube in cluster minikube
๐ฅ Creating docker container (CPUs=2, Memory=8100MB) ...
๐ณ Preparing Kubernetes v1.16.15 on Docker 19.03.8 ...
โช apiserver.token-auth-file=tokens.csv
๐ข initialization failed, will try again
I've managed to make it work in this way:
mkdir -p ~/.minikube/files/etc/ca-certificates
cp tokens.csv ~/.minikube/files/etc/ca-certificates/
minikube --extra-config="apiserver.token-auth-file=/etc/ca-certificates/tokens.csv" start
The problem is that the file has to be in a folder that is mounted inside the apiserver pod.
I've managed to make it work in this way:
mkdir -p ~/.minikube/files/etc/ca-certificates cp tokens.csv ~/.minikube/files/etc/ca-certificates/ minikube --extra-config="apiserver.token-auth-file=/etc/ca-certificates/tokens.csv" start
The problem is that the file has to be in a folder that is mounted inside the apiserver pod.
@jordeu thank you for finding this workarround ! this would be a cool tutuorial to add to our website.
@medyagh I'd like to work on this
/assign
@jordeu nice fix, I've tested and it works for me also :+1:
@Aut0R3V Are you still working on this?
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close
.
Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten
@Aut0R3V, This issue is very old, I'll take it over!
/remove-lifecycle rotten
https://minikube.sigs.k8s.io/docs/tutorials/token-auth-file/ should explain why etc/ca-certificates/ is important
Steps to reproduce the issue:
~/.minikube/files/etc/tokens.csv
file containingmytoken,myuser,123
in the defined format for static token files.minikube start --extra-config=apiserver.token-auth-file=/etc/tokens.csv
minikube ssh
andcat /etc/tokens.csv
Full output of failed command: Including
--alsologtostderr
:Full output of
minikube start
command used, if not already included: Already included above.Optional: Full output of
minikube logs
command: Available on request (doesn't look relevant).