Closed jsparter closed 1 year ago
@jsparter ,could you pls to check the content kubeadm.yaml cat /etc/kubernetes/kubeadm.yaml | grep PodSecurityPolicy
@kakaZhou719
[root@k8s-master-xx ~]# cat /etc/kubernetes/kubeadm.yaml | grep PodSecurityPolicy
enable-admission-plugins: PodSecurityPolicy,NodeRestriction
oh, if we set PodSecurityPolicy
in ClusterConfiguration at kubeadm.yaml, this admission plugin will restrict the pod creation. @Stevent-fei already update this cluster image, pls update you cluster image and try again.
oh, if we set
PodSecurityPolicy
in ClusterConfiguration at kubeadm.yaml, this admission plugin will restrict the pod creation. @Stevent-fei already update this cluster image, pls update you cluster image and try again.
@kakaZhou719 pull the same image, and can not make calico running. there is operator's log
E1013 02:44:35.832437 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.3/tools/cache/reflector.go:167: Failed to watch *v1.BGPConfiguration: failed to list *v1.BGPConfiguration: bgpconfigurations.crd.projectcalico.org is forbidden: User "system:serviceaccount:tigera-operator:tigera-operator" cannot list resource "bgpconfigurations" in API group "crd.projectcalico.org" at the cluster scope
E1013 02:44:58.665221 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.3/tools/cache/reflector.go:167: Failed to watch *v1.BGPConfiguration: failed to list *v1.BGPConfiguration: bgpconfigurations.crd.projectcalico.org is forbidden: User "system:serviceaccount:tigera-operator:tigera-operator" cannot list resource "bgpconfigurations" in API group "crd.projectcalico.org" at the cluster scope
and if edit the clusterrole for bgpconfigurations, still not working:
{"level":"error","ts":1665629324.9539669,"logger":"controller.tigera-installation-controller","msg":"Reconciler error","name":"tigera-operator-token-frnml","namespace":"tigera-operator","error":"Could not resolve CalicoNetwork IPPool and kubeadm configuration: IPPool 100.64.0.0/10 is not within the platform's configured pod network CIDR(s) [100.64.0.0/16]","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.9.7/pkg/internal/controller/controller.go:214"}
{"level":"error","ts":1665629325.0432544,"logger":"controller_installation","msg":"ResourceReadError","Request.Namespace":"","Request.Name":"calico","ResourceReadError":"Error querying installation","error":"Could not resolve CalicoNetwork IPPool and kubeadm configuration: IPPool 100.64.0.0/10 is not within the platform's configured pod network CIDR(s) [100.64.0.0/16]","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.9.7/pkg/internal/controller/controller.go:253\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.9.7/pkg/internal/controller/controller.go:214"}
{"level":"error","ts":1665629325.043346,"logger":"controller.tigera-installation-controller","msg":"Reconciler error","name":"calico","namespace":"","error":"Could not resolve CalicoNetwork IPPool and kubeadm configuration: IPPool 100.64.0.0/10 is not within the platform's configured pod network CIDR(s) [100.64.0.0/16]","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.9.7/pkg/internal/controller/controller.go:214"}
FYI,image id is 93a4ec00160f
oh, if we set
PodSecurityPolicy
in ClusterConfiguration at kubeadm.yaml, this admission plugin will restrict the pod creation. @Stevent-fei already update this cluster image, pls update you cluster image and try again.
@kakaZhou719 I pulled this image again, but I found that imageId dosen't change, and the problem still here
REPOSITORY TAG IMAGE ID CREATED SIZE
registry.cn-qingdao.aliyuncs.com/sealer-io/kubernetes v1.20.15-test 93a4ec00160f 28 hours ago 865 MB
I've fixed it and can see the list of currently supported images in readme. If there is no problem, I will close this issue before December 2nd.
What happen?
I run
sealer run registry.cn-qingdao.aliyuncs.com/sealer-io/kubernetes:v1.20.15-test
as what #1763 said, and sealer didn't report error. But node isNotReady
, and there is no pod inkube-system
I noticed there are containers:
Error logs of container 6b8e6a9c350c as follow:
There is a deployment of coredns:
I'm confused why coredns isn't running, and whether it cause cluster not work?
Relevant log output?
output of sealer run:
Error logs of tigera-operatoras container follow:
Some logs of etcd container:
Some logs of apiserver:
What you expected to happen?
sealer run successfully and cluster works properly
How to reproduce it (as minimally and precisely as possible)?
Anything else we need to know?
No response
What is the version of Sealer you using?
{"gitVersion":"unknown","gitCommit":"50b1c7aa","buildDate":"2022-10-12 12:00:38","goVersion":"go1.17.7","compiler":"gc","platform":"linux/amd64"}
What is your OS environment?
CentOS Linux 7
What is the Kernel version?
Linux 5.17.1-1.el7.elrepo.x86_64
Other environment you want to tell us?