Comments (4)
refer to #5586 (comment) to set featureGates 😄
配置后部署 需要加载in-cluster conf 的时候(部署https://github.com/4paradigm/k8s-vgpu-scheduler ), 会报下面的错误,然后 边缘节点的 node 会 NotReady 状态,cloudcore 所在的node 上没有部署 edgemesh-agent
cloudcore 的错误日志如下:
I0515 10:58:22.649222 1 node_session.go:137] Start session for edge node barry-edge-aibox-01
I0515 10:58:22.722992 1 upstream.go:89] Dispatch message: cebc4894-ae3b-480b-ae39-267c880de6f8
I0515 10:58:22.723018 1 upstream.go:96] Message: cebc4894-ae3b-480b-ae39-267c880de6f8, resource type is: membership/detail
W0515 10:58:23.870590 1 reflector.go:535] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot list resource "serviceaccounts" in API group "" at the cluster scope
E0515 10:58:23.870627 1 reflector.go:147] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.ServiceAccount: failed to list *v1.ServiceAccount: serviceaccounts is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot list resource "serviceaccounts" in API group "" at the cluster scope
I0515 10:58:24.581280 1 tunnelserver.go:121] get a new tunnel agent hostname barry-edge-aibox-01, internalIP 192.168.8.19
W0515 10:58:24.867957 1 reflector.go:535] k8s.io/client-go/informers/factory.go:150: failed to list *v1.CertificateSigningRequest: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot list resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope
E0515 10:58:24.867990 1 reflector.go:147] k8s.io/client-go/informers/factory.go:150: Failed to watch *v1.CertificateSigningRequest: failed to list *v1.CertificateSigningRequest: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot list resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope
E0515 10:58:26.406436 1 upstream.go:1044] message: 6a575fcb-05c4-4074-9d0a-5ca031d5ec5c process failure, patch pod failed with error: pods "edgemesh-agent-wl9g8" not found, namespace: kubeedge, name: edgemesh-agent-wl9g8
E0515 10:58:27.910389 1 upstream.go:1327] create CertificateSigningRequests metaserver-csr-barry-edge-aibox-01 failed, error: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot create resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope
E0515 10:58:30.280279 1 upstream.go:1327] create CertificateSigningRequests metaserver-csr-barry-edge-aibox-01 failed, error: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot create resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope
E0515 10:58:34.911303 1 upstream.go:777] apiserver get service account token failed: err pods "edgemesh-agent-wl9g8" not found
W0515 10:58:34.911328 1 upstream.go:703] message: 7ded5928-791d-4788-b54a-b45f0a1ef701 process failure, resource not found, namespace: kubeedge, name: edgemesh-agent
E0515 10:58:35.068586 1 upstream.go:1327] create CertificateSigningRequests metaserver-csr-barry-edge-aibox-01 failed, error: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot create resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope
E0515 10:58:36.405166 1 upstream.go:1044] message: c2da383b-18af-465d-bcd8-d589f0a2581f process failure, patch pod failed with error: pods "edgemesh-agent-wl9g8" not found, namespace: kubeedge, name: edgemesh-agent-wl9g8
W0515 10:58:39.077347 1 reflector.go:535] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1alpha1.ServiceAccountAccess: serviceaccountaccesses.policy.kubeedge.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot list resource "serviceaccountaccesses" in API group "policy.kubeedge.io" at the cluster scope
E0515 10:58:39.077378 1 reflector.go:147] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1alpha1.ServiceAccountAccess: failed to list *v1alpha1.ServiceAccountAccess: serviceaccountaccesses.policy.kubeedge.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot list resource "serviceaccountaccesses" in API group "policy.kubeedge.io" at the cluster scope
E0515 10:58:43.387824 1 upstream.go:1327] create CertificateSigningRequests metaserver-csr-barry-edge-aibox-01 failed, error: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot create resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope
E0515 10:58:46.410428 1 upstream.go:1044] message: 75633096-c873-4aee-98c9-479419a3aa42 process failure, patch pod failed with error: pods "edgemesh-agent-wl9g8" not found, namespace: kubeedge, name: edgemesh-agent-wl9g8
W0515 10:58:50.306539 1 reflector.go:535] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.Role: roles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot list resource "roles" in API group "rbac.authorization.k8s.io" at the cluster scope
E0515 10:58:50.306570 1 reflector.go:147] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.Role: failed to list *v1.Role: roles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot list resource "roles" in API group "rbac.authorization.k8s.io" at the cluster scope
E0515 10:58:56.406373 1 upstream.go:1044] message: 630c285f-193f-4aab-962e-4c6cfd0b0fb0 process failure, patch pod failed with error: pods "edgemesh-agent-wl9g8" not found, namespace: kubeedge, name: edgemesh-agent-wl9g8
W0515 10:58:58.970368 1 reflector.go:535] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.RoleBinding: rolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
E0515 10:58:58.970400 1 reflector.go:147] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.RoleBinding: failed to list *v1.RoleBinding: rolebindings.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot list resource "rolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
E0515 10:59:00.414457 1 upstream.go:1327] create CertificateSigningRequests metaserver-csr-barry-edge-aibox-01 failed, error: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot create resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope
^[cW0515 10:59:01.018243 1 reflector.go:535] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: failed to list *v1.ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
E0515 10:59:01.018289 1 reflector.go:147] sigs.k8s.io/controller-runtime/pkg/cache/internal/informers.go:233: Failed to watch *v1.ClusterRole: failed to list *v1.ClusterRole: clusterroles.rbac.authorization.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot list resource "clusterroles" in API group "rbac.authorization.k8s.io" at the cluster scope
cloudcore-6bc8d4c566-tbvzq 0/1 CrashLoopBackOff
I0515 16:07:36.979456 1 upstream.go:96] Message: 3af40425-9743-4000-b9a6-a013aa92a2b2, resource type is: membership/detail
I0515 16:07:36.979461 1 upstream.go:89] Dispatch message: 3addb571-0f5d-40f1-beb4-92989cfb7a48
I0515 16:07:36.979467 1 upstream.go:96] Message: 3addb571-0f5d-40f1-beb4-92989cfb7a48, resource type is: membership/detail
I0515 16:07:37.018290 1 upstream.go:89] Dispatch message: 2bc3c3d3-626e-4a66-8c2d-8e027216b53e
I0515 16:07:37.018308 1 upstream.go:96] Message: 2bc3c3d3-626e-4a66-8c2d-8e027216b53e, resource type is: membership/detail
I0515 16:07:37.033522 1 upstream.go:89] Dispatch message: cf19ed63-989c-4114-8bba-d38eab084f2c
I0515 16:07:37.033540 1 upstream.go:96] Message: cf19ed63-989c-4114-8bba-d38eab084f2c, resource type is: membership/detail
E0515 16:07:37.035048 1 upstream.go:1327] create CertificateSigningRequests metaserver-csr-barry-edge-aibox-01 failed, error: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot create resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope
I0515 16:07:37.067514 1 upstream.go:89] Dispatch message: b5238eaa-e8f6-4f7a-92d5-0728f0602298
I0515 16:07:37.067547 1 upstream.go:96] Message: b5238eaa-e8f6-4f7a-92d5-0728f0602298, resource type is: membership/detail
I0515 16:07:37.100398 1 upstream.go:89] Dispatch message: 8bccea99-f180-45af-abda-b1215cb5f049
I0515 16:07:37.100418 1 upstream.go:96] Message: 8bccea99-f180-45af-abda-b1215cb5f049, resource type is: membership/detail
[controller-runtime] log.SetLogger(...) was never called, logs will not be displayed:
goroutine 3245 [running]:
runtime/debug.Stack()
/usr/local/go/src/runtime/debug/stack.go:24 +0x65
github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/log.eventuallyFulfillRoot()
/go/src/github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/log/log.go:59 +0xbd
github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/log.(*delegatingLogSink).Error(0xc00088aa40, {0x28be440, 0xc0030fa620}, {0x25742d4, 0x20}, {0x0, 0x0, 0x0})
/go/src/github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/log/deleg.go:139 +0x68
github.com/kubeedge/kubeedge/vendor/github.com/go-logr/logr.Logger.Error({{0x28eb578?, 0xc00088aa40?}, 0x4442b1?}, {0x28be440, 0xc0030fa620}, {0x25742d4, 0x20}, {0x0, 0x0, 0x0})
/go/src/github.com/kubeedge/kubeedge/vendor/github.com/go-logr/logr/logr.go:299 +0xda
github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.1({0x28e4d70?, 0xc00049d360?}, 0xc0003d2320, {0x28d07a8, 0xc0004accf0})
/go/src/github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:202 +0x186
github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2(0xc0003d2320, {0x28e4d70?, 0xc00049d360}, 0xc00064e3a0)
/go/src/github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:207 +0x418
github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start(0xc0003d2320, {0x28e4d70, 0xc00049d360})
/go/src/github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:233 +0x165
github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile.func1(0xc000618c60)
/go/src/github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go:219 +0xdb
created by github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/manager.(*runnableGroup).reconcile
/go/src/github.com/kubeedge/kubeedge/vendor/sigs.k8s.io/controller-runtime/pkg/manager/runnable_group.go:203 +0x1ad
E0515 16:07:46.362762 1 upstream.go:1044] message: 7591143f-0ac4-43b5-968e-558f3f4f2298 process failure, patch pod failed with error: pods "edgemesh-agent-wl9g8" not found, namespace: kubeedge, name: edgemesh-agent-wl9g8
E0515 16:07:54.639966 1 upstream.go:777] apiserver get service account token failed: err pods "edgemesh-agent-wl9g8" not found
W0515 16:07:54.639992 1 upstream.go:703] message: a1635f88-95e4-4d07-9d74-203669e0b600 process failure, resource not found, namespace: kubeedge, name: edgemesh-agent
E0515 16:07:56.362200 1 upstream.go:1044] message: 0728eb57-c08f-464a-9c6f-459371eab014 process failure, patch pod failed with error: pods "edgemesh-agent-wl9g8" not found, namespace: kubeedge, name: edgemesh-agent-wl9g8
E0515 16:08:06.361879 1 upstream.go:1044] message: fdc3dd7e-2742-45fe-bd62-c979e2974e8e process failure, patch pod failed with error: pods "edgemesh-agent-wl9g8" not found, namespace: kubeedge, name: edgemesh-agent-wl9g8
E0515 16:08:09.066397 1 upstream.go:1327] create CertificateSigningRequests metaserver-csr-barry-edge-aibox-01 failed, error: certificatesigningrequests.certificates.k8s.io is forbidden: User "system:serviceaccount:kubeedge:cloudcore" cannot create resource "certificatesigningrequests" in API group "certificates.k8s.io" at the cluster scope
F0515 16:08:09.134946 1 policycontroller.go:102] failed to start controller manager, [failed to wait for serviceaccountaccess caches to sync: timed out waiting for cache to be synced for Kind *v1alpha1.ServiceAccountAccess, failed waiting for all runnables to end within grace period of 30s: context deadline exceeded]
from kubeedge.
refer to #5586 (comment) to set featureGates 😄
from kubeedge.
CSR related clusterRoleBinding will be created when you using keadm init cloudcore and set cloudCore.featureGates.requireAuthorization=true
. If you config the featureGates and then restart cloudcore, thie clusterRoleBinding will not be created and you need to create it munually refer to https://github.com/kubeedge/kubeedge/blob/master/manifests/charts/cloudcore/templates/rbac_cloudcore_feature.yaml
from kubeedge.
CSR related clusterRoleBinding will be created when you using keadm init cloudcore and set
cloudCore.featureGates.requireAuthorization=true
. If you config the featureGates and then restart cloudcore, thie clusterRoleBinding will not be created and you need to create it munually refer to https://github.com/kubeedge/kubeedge/blob/master/manifests/charts/cloudcore/templates/rbac_cloudcore_feature.yaml
可以了,谢谢
from kubeedge.
Related Issues (20)
- Integrate with Tekton and Tekton Chains to achieve SLSA level 2 compliance
- edgestream cannot auto reconnect when server.cert is expire HOT 1
- Conformance test in CI always failed in recent PRs
- 使用keadm正常安装CloudCore和EdgeCore后使用keadm reset卸载CloudCore换另一个advertise-address再次init CloudCore,出现问题 HOT 3
- when deployed kubeedge in aarch64 board, mosquitto installed failed HOT 1
- Container runtime e2e test often fails to run HOT 2
- Improve kubeedge api migration feature HOT 1
- unable to authenticate when serviceaccounttoken expired
- kubekey扩展kubeedge HOT 1
- kubeedge 1.18在k8s 1.28.7上创建devicemodel版本不对 HOT 2
- cloudcore cloudn't provide vaild token for edgenode to join cluster HOT 1
- Any quick path of delpoy KubeEdge for development and bug reproduction? HOT 3
- Get pod logs failed HOT 4
- kubeedge可以在边缘端使用PVC吗? HOT 4
- Observations and suggestions on issue management in the KubeEdge Project HOT 6
- keadm reset error HOT 1
- keadm reset cannot delete the /var/lib/edged folder
- 边缘节点的应用无法访问 HOT 1
- Pods in edge can't access cloud and resolve services. HOT 3
- the meaning of lastversion shown in https://kubeedge.io/latestversion HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubeedge.