istio: Istio sidecar injection failing with error - MountVolume.SetUp failed for volume "istiod-ca-cert" : configmap "istio-ca-root-cert" not found

Bug Description Istiod is not responding to new namespaces. Created a new namespace and labelled istio-injectio=enabled. I deployed one app to the namespace and the pod is stuck in init stage. Istio proxy is not able to mount configmap “istio-ca-root-cert”

Unable to mount volumes for pod “azure-vote-front-5bc759676c-7hg5t_am-dev(a45f7c3a-d546-4461-af15-c5442ae39de9)”: timeout expired waiting for volumes to attach or mount for pod “am-dev”/“azure-vote-front-5bc759676c-7hg5t”.

Last log from istiod -

2020-03-25T10:04:33.132573Z warn k8s.io/client-go@v0.17.2/tools/cache/reflector.go:105: watch of *v1.ConfigMap ended with: too old resource version: 2764317 (2764517)

list of unmounted volumes=[istiod-ca-cert]. list of unattached volumes=[default-token-58r9k istio-envoy podinfo istio-token istiod-ca-cert]

Warning FailedMount 3m57s (x33 over 54m) kubelet, aks-linuxpool02-21909056-vmss000000 MountVolume.SetUp failed for volume “istiod-ca-cert” : configmap “istio-ca-root-cert” not found

[ x] Configuration Infrastructure [ ] Docs [ ] Installation [x ] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [ ] Security [ ] Test and Release [ ] User Experience [x ] Developer Infrastructure

New namespace should have configmap “istio-ca-root-cert” and should deploy the app

Steps to reproduce the bug This happened intermittently. In one of the namespace I was able to attach the proxy and once the problem started, further no namespace is working.

Version (include the output of istioctl version --remote and kubectl version and helm version if you used Helm) Istioctl - client version: 1.5.0 kubectl - server: v1.15.7, client: v1.17.0

How was Istio installed? istioctl

Environment where bug was observed (cloud vendor, OS, etc) Azure Kubernetes Engine

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 36
  • Comments: 94 (34 by maintainers)

Commits related to this issue

Most upvoted comments

This issue needs to be re-opened. It definitely can still occur in all versions

+10
Talador12 on Mar 14, 2023

I am facing the same issue with 1.5.1 and doing a restart of the istiod deployment is a valid workaround in the meantime:

kubectl -n istio-system rollout restart deployment istiod
+6
emedina on Apr 17, 2020

Is everyone facing this issue on AKS? Seems 4 of the people that have reported it are on azure?

+5
howardjohn on Apr 2, 2020

Still facing the same issue in 1.5.6

+4
okpoyu on Jul 1, 2020

I have the same issue when I upgrade istio from 1.5.0 (installed by apply helm generated yaml files) to 1.5.4 by apply istioctl manifest generate yaml file.

I have both a fix and a reproducer. Fix: #23783

To reproduce, modify the istio-leader configmap and change holder identity to something else. After a minute or so everything will be broken

I got some thought from the aboved explain. So I check the istio-leader.

When I see the configmap istio-leader in the istio-system, I found the clue. the old pilot are still the istio-leader, so the new istiod will not became the namespace controller, so the configmap istio-ca-root-cert was not created in the namespace that was injected.

apiVersion: v1
kind: ConfigMap
metadata:
  annotations:
    control-plane.alpha.kubernetes.io/leader: '{"holderIdentity":"istio-pilot-9979d9b5c-bw7sw","leaseDurationSeconds":30,"acquireTime":"2020-05-29T01:36:04Z","renewTime":"2020-05-29T02:50:45Z","leaderTransitions":0}'
  creationTimestamp: "2020-05-29T01:36:04Z"
  name: istio-leader
  namespace: istio-system
  resourceVersion: "41583"
  selfLink: /api/v1/namespaces/istio-system/configmaps/istio-leader
  uid: 4842a8ce-fb32-4224-91e2-9e2e51acf86b

In order to fix this, we shoud make the new istiod become the istio-leader, so you can delete the old istio-pilot, or delete the istio-leader configmap in the istio-system, and then check if the new istiod is become the new leader

+4
mgxian on May 29, 2020

Istio does not yet support ARM which would explain the raspberry pi one

On Sun, Mar 20, 2022, 11:32 AM Greg @.***> wrote:

Same issue for me on a 4-node RasPi-4 cluster with Istio 1.13.2

— Reply to this email directly, view it on GitHub https://github.com/istio/istio/issues/22463#issuecomment-1073307268, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEYGXMH24XEX3LGC3TUIR3VA5VKDANCNFSM4LTK3Z6A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

+3
howardjohn on Mar 20, 2022

meet same issue in 1.9.0

+3
heluocs on Apr 30, 2021

I have both a fix and a reproducer. Fix: https://github.com/istio/istio/pull/23783

To reproduce, modify the istio-leader configmap and change holder identity to something else. After a minute or so everything will be broken

+3
howardjohn on May 12, 2020

I am also getting this error using EKS 1.21 with Istio 1.11.5. Everything works fine, but this error is causing concern for the developers on our platform.

+2
jbilliau-rcd on Jan 18, 2022

@dkirrane that is a difference issue, root cause is Istiod not starting up. Probably because of https://preliminary.istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens

+2
howardjohn on Jun 5, 2020

There are a few PRs merged for this issue (e.g., https://github.com/istio/istio/pull/22598 and https://github.com/istio/istio/pull/22606). Does this issue occur for an Istio binary with these PRs?

Meanwhile, thanks @emedina for sharing a workaround, which restarts the istiod deployment through “kubectl -n istio-system rollout restart deployment istiod”.

+2
lei-tang on Apr 23, 2020

@KIRY4 just update to 1.5.4 and it’s fixed

+1
howardjohn on Jun 3, 2020

For docker-desktop, demo

For docker-desktop, trustworthy JWTs are still not enabled. Editing the API server pod config with:

    - --service-account-key-file=/run/config/pki/sa.pub
+    - --service-account-signing-key-file=/run/config/pki/sa.key
+    - --service-account-issuer=api
+    - --api-audiences=api

can’t be done as it’s overwritten by the Docker Desktop application continuously.

However, since SDS moved into istiod now, it can’t be shut off; despite configuring the IstioOperator CRD like so:

        sds:
          enabled: false
# and further down
      sds:
        enabled: false
        token:
          aud: istio-ca
        udsPath: ""

For GKE, demo

This error is new:

istiod-668dd9d86b-57nzg discovery {“level”:“info”,“time”:“2020-04-28T13:37:05.272378Z”,“scope”:“validationController”,“msg”:“Reconcile(enter): retry dry-run creation of invalid config”}

But then there’s a new port that needs to be opened from GKE master -> 15017, or you’ll get timeouts when deploying VirtualServices.

On the up-side, all tokens are generated and we got it running!!! 🔆

+1
haf on Apr 28, 2020

Hi,

We are facing the same issue with 1.5.2 on AKS, our pods are stuck on the Init phase:

Events:
  Type     Reason       Age                 From                                      Message
  ----     ------       ----                ----                                      -------
  Normal   Scheduled    42m                 default-scheduler                         Successfully assigned nto-payment/customer-app-5c5ff5c5f-hxs9f to aks-default-16109932-vmss000000
  Warning  FailedMount  11m (x23 over 42m)  kubelet, aks-default-16109932-vmss000000  MountVolume.SetUp failed for volume "istiod-ca-cert" : configmap "istio-ca-root-cert" not found
  Warning  FailedMount  98s (x18 over 40m)  kubelet, aks-default-16109932-vmss000000  Unable to mount volumes for pod "customer-app-5c5ff5c5f-hxs9f_nto-payment(4b227c43-d6dd-42f4-aac5-78afef26c8e0)": timeout expired waiting for volumes to attach or mount for pod "nto-payment"/"customer-app-5c5ff5c5f-hxs9f". list of unmounted volumes=[istiod-ca-cert]. list of unattached volumes=[default-token-h5c9m istio-envoy podinfo istio-token istiod-ca-cert]

using this IstioOperator spec:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
spec:
  profile: default
  components:
    policy:
      enabled: true
    sidecarInjector:
      enabled: true
    citadel:
      enabled: true
    telemetry:
      enabled: true
  addonComponents:
    prometheus:
      enabled: false
  values:
    global:
      disablePolicyChecks: false
    telemetry:
      v1:
        enabled: true
      v2:
        enabled: false

started working again after restarting the istiod deployment and our app pods.

+1
dosten on Apr 24, 2020
Read more comments on GitHub
← istio: Istio Sidecar consuming high CPU Istio 1.30-1.3.3
istio: Istio standard service metrics not showing up in prometheus →