istio: Istio sidecar injection failing with error - MountVolume.SetUp failed for volume "istiod-ca-cert" : configmap "istio-ca-root-cert" not found
Bug Description Istiod is not responding to new namespaces. Created a new namespace and labelled istio-injectio=enabled. I deployed one app to the namespace and the pod is stuck in init stage. Istio proxy is not able to mount configmap “istio-ca-root-cert”
Unable to mount volumes for pod “azure-vote-front-5bc759676c-7hg5t_am-dev(a45f7c3a-d546-4461-af15-c5442ae39de9)”: timeout expired waiting for volumes to attach or mount for pod “am-dev”/“azure-vote-front-5bc759676c-7hg5t”.
Last log from istiod -
2020-03-25T10:04:33.132573Z warn k8s.io/client-go@v0.17.2/tools/cache/reflector.go:105: watch of *v1.ConfigMap ended with: too old resource version: 2764317 (2764517)
list of unmounted volumes=[istiod-ca-cert]. list of unattached volumes=[default-token-58r9k istio-envoy podinfo istio-token istiod-ca-cert]
Warning FailedMount 3m57s (x33 over 54m) kubelet, aks-linuxpool02-21909056-vmss000000 MountVolume.SetUp failed for volume “istiod-ca-cert” : configmap “istio-ca-root-cert” not found
[ x] Configuration Infrastructure [ ] Docs [ ] Installation [x ] Networking [ ] Performance and Scalability [ ] Policies and Telemetry [ ] Security [ ] Test and Release [ ] User Experience [x ] Developer Infrastructure
New namespace should have configmap “istio-ca-root-cert” and should deploy the app
Steps to reproduce the bug This happened intermittently. In one of the namespace I was able to attach the proxy and once the problem started, further no namespace is working.
Version (include the output of istioctl version --remote
and kubectl version
and helm version
if you used Helm)
Istioctl - client version: 1.5.0
kubectl - server: v1.15.7, client: v1.17.0
How was Istio installed? istioctl
Environment where bug was observed (cloud vendor, OS, etc) Azure Kubernetes Engine
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 36
- Comments: 94 (34 by maintainers)
Commits related to this issue
- Properly stop/start namespace controller for leader election Might fix https://github.com/istio/istio/issues/22463, was found during debugging this. https://github.com/istio/istio/pull/21669 made a ... — committed to howardjohn/istio by howardjohn 4 years ago
- Properly stop/start namespace controller for leader election (#22598) Might fix https://github.com/istio/istio/issues/22463, was found during debugging this. https://github.com/istio/istio/pull/2166... — committed to istio/istio by howardjohn 4 years ago
- Add resync period to namespace controllre Attempt to mitigate https://github.com/istio/istio/issues/22463 — committed to howardjohn/istio by howardjohn 4 years ago
- Add resync period to namespace controller (#22606) * Add resync period to namespace controllre Attempt to mitigate https://github.com/istio/istio/issues/22463 * Add update func — committed to istio/istio by howardjohn 4 years ago
- Add resync period to namespace controller (#22606) * Add resync period to namespace controllre Attempt to mitigate https://github.com/istio/istio/issues/22463 * Add update func (cherry picked from... — committed to howardjohn/istio by howardjohn 4 years ago
- Add resync period to namespace controller (#22606) (#22773) * Add resync period to namespace controllre Attempt to mitigate https://github.com/istio/istio/issues/22463 * Add update func (cherry pi... — committed to istio/istio by howardjohn 4 years ago
- Fix namespace configmap controller losing election lock Backport of https://github.com/istio/istio/commit/77304211dc0c75820ab9cd2f2fe03e5d5211edca. I have confirmed this fixes https://github.com/isti... — committed to howardjohn/istio by howardjohn 4 years ago
- Fix namespace configmap controller losing election lock (#23783) Backport of https://github.com/istio/istio/commit/77304211dc0c75820ab9cd2f2fe03e5d5211edca. I have confirmed this fixes https://github... — committed to istio/istio by howardjohn 4 years ago
This issue needs to be re-opened. It definitely can still occur in all versions
I am facing the same issue with
1.5.1
and doing a restart of theistiod
deployment is a valid workaround in the meantime:Is everyone facing this issue on AKS? Seems 4 of the people that have reported it are on azure?
Still facing the same issue in 1.5.6
I have the same issue when I upgrade istio from 1.5.0 (installed by apply helm generated yaml files) to 1.5.4 by apply
istioctl manifest generate
yaml file.I got some thought from the aboved explain. So I check the
istio-leader
.When I see the configmap
istio-leader
in theistio-system
, I found the clue. the old pilot are still the istio-leader, so the new istiod will not became the namespace controller, so the configmapistio-ca-root-cert
was not created in the namespace that was injected.In order to fix this, we shoud make the new istiod become the
istio-leader
, so you can delete the old istio-pilot, or delete theistio-leader
configmap in theistio-system
, and then check if the new istiod is become the new leaderIstio does not yet support ARM which would explain the raspberry pi one
On Sun, Mar 20, 2022, 11:32 AM Greg @.***> wrote:
meet same issue in 1.9.0
I have both a fix and a reproducer. Fix: https://github.com/istio/istio/pull/23783
To reproduce, modify the istio-leader configmap and change holder identity to something else. After a minute or so everything will be broken
I am also getting this error using EKS 1.21 with Istio 1.11.5. Everything works fine, but this error is causing concern for the developers on our platform.
@dkirrane that is a difference issue, root cause is Istiod not starting up. Probably because of https://preliminary.istio.io/docs/ops/best-practices/security/#configure-third-party-service-account-tokens
There are a few PRs merged for this issue (e.g., https://github.com/istio/istio/pull/22598 and https://github.com/istio/istio/pull/22606). Does this issue occur for an Istio binary with these PRs?
Meanwhile, thanks @emedina for sharing a workaround, which restarts the
istiod
deployment through “kubectl -n istio-system rollout restart deployment istiod”.@KIRY4 just update to 1.5.4 and it’s fixed
For docker-desktop, demo
For docker-desktop, trustworthy JWTs are still not enabled. Editing the API server pod config with:
can’t be done as it’s overwritten by the Docker Desktop application continuously.
However, since SDS moved into
istiod
now, it can’t be shut off; despite configuring the IstioOperator CRD like so:For GKE, demo
This error is new:
But then there’s a new port that needs to be opened from GKE master -> 15017, or you’ll get timeouts when deploying VirtualServices.
On the up-side, all tokens are generated and we got it running!!! 🔆
Hi,
We are facing the same issue with 1.5.2 on AKS, our pods are stuck on the Init phase:
using this
IstioOperator
spec:started working again after restarting the
istiod
deployment and our app pods.