Comments (8)
I'd try some/all of the following for one of the applications:
- Check the logs of the application pod(s)
- Check which endpoint(s) the service maps to
- Check if you can reach the endpoint(s) via
kubectl port-forward
- Check if you can reach the endpoint(s) from a running pod
Feel also free to submit a support ticket so that we can take a closer look.
from doks.
1). Nothing in the cert-manager logs, looks like timout/connection errors in the cert manager logs.
E1118 16:33:21.799398 1 controller.go:131] cert-manager/controller/ingress-shim "msg"="re-queuing item due to error processing" "error"="Internal error occurred: failed calling webhook \"webhook.cert-manager.io\": the server is currently unable to handle the request" "key"="default/test"
2).
metrics-server
Name: metrics-server
Namespace: kube-system
Labels: kubernetes.io/cluster-service=true
kubernetes.io/name=Metrics-server
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"kubernetes.io/cluster-service":"true","kubernetes.io/name":"Me...
Selector: k8s-app=metrics-server
Type: ClusterIP
IP: 10.245.47.213
Port: <unset> 443/TCP
TargetPort: main-port/TCP
Endpoints: 10.244.2.116:4443
Session Affinity: None
Events: <none>
cert-manager
Name: cert-manager-webhook
Namespace: cert-manager
Labels: app=webhook
app.kubernetes.io/instance=cert-manager
app.kubernetes.io/managed-by=Tiller
app.kubernetes.io/name=webhook
helm.sh/chart=cert-manager-v0.11.0
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"webhook","app.kubernetes.io/instance":"cert-manager","ap...
Selector: app.kubernetes.io/instance=cert-manager,app.kubernetes.io/managed-by=Tiller,app.kubernetes.io/name=webhook,app=webhook
Type: ClusterIP
IP: 10.245.173.138
Port: https 443/TCP
TargetPort: 6443/TCP
Endpoints: 10.244.3.27:6443
Session Affinity: None
Events: <none>
3 and 4). Can't seem to connect to these endpoints, they do respond, but I am getting a 403. Below is the response inside the cluster.
curl -k https://cert-manager-webhook.cert-manager
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {
},
"status": "Failure",
"message": "forbidden: User \"system:anonymous\" cannot get path \"/\"",
"reason": "Forbidden",
"details": {
},
"code": 403
}
What port is the API server configured to listen on? I wonder if the port mappings are incorrect or if there is something blocking requests to the API server?
from doks.
Adding hostNetwork: true
to the deployment spec "fixes" the issue but I'm not really sure why this would be needed.
The firewall rules in the DO console seem to indicate that the 10.0.0.0/8
network should be allowed, so I would have guessed that would include things in the Kubernetes cluster?
from doks.
Hey @jmreicha. Sorry, this one fell off my radar.
Is this still an issue for you? If so, then I'd suggest to file a DO support ticket. That should kick off a process which is better suited to address customer support request in a reliable, short-term manner.
from doks.
Still an issue, I already have a support ticket open. They said was better to use this issue 😄
from doks.
@jmreicha did you manage to resolve the issue with our support, or am I misreading our internal communication?
from doks.
@timoreimann Yep we got it sorted.
Just a note if anybody else comes across this issue, changing the cert-manager validating and mutating webhooks to failurePolicy: Ignore
as well as restarting the control plane seems to fix the issue.
from doks.
Thanks for the note explaining how you got this fixed, appreciated.
from doks.
Related Issues (20)
- Wrong timezone? HOT 5
- Maintain HA on single-node cluster during updates HOT 6
- Automatic minor version k8s upgrades HOT 4
- Scale node pool to zero throws HTTP 500 HOT 2
- Support pod security policies HOT 2
- dont cap grace period at 0 for soft evictions HOT 2
- support dynamic kubelet config HOT 1
- Support metrics in the integrated dashboard HOT 15
- built-in support for glusterfs client on worker nodes HOT 7
- Integrate DOKS plus managed resources into projects HOT 1
- No metrics for cluster in version 1.20.2-do.0 HOT 6
- kube-state-metrics serviceaccount installed to kube-system namespace by default HOT 3
- Create load balancer for service in same project as cluster HOT 2
- Resizing root partition of a DOKS Worker Node Droplet
- Feature Request: UI Integration to Apply Taints automatically to Node Pools HOT 5
- Linux Kernel 5.x on DOKS Nodes HOT 4
- Feature request: UDP support in Load Balancers HOT 1
- Question about node taints with regard to doks-managed 'coredns' deployment HOT 1
- Cronjob TimeZone in >=1.27, TZ not found HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from doks.