istio: JWT error during manifest apply
$ go run istioctl/cmd/istioctl/main.go manifest apply
This will install the default Istio profile into the cluster. Proceed? (y/N) y
Error: failed to generate and apply manifests, error: failed to generate manifest: failed to determine JWT policy support. Use the --force flag to ignore this: unable to retrieve the complete list of server APIs: metrics.k8s.io/v1beta1: the server is currently unable to handle the request
exit status 1
This is with a 1.14 cluster. Not sure if it’s a k8s version problem because the k8s version check claims that >=1.14 is supported. Regardless, this message is fine for logging but not suitable as a high level user message.
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 16 (8 by maintainers)
Commits related to this issue
- Make jwt check resiliant to errors Fixes https://github.com/istio/istio/issues/20946 — committed to howardjohn/istio by howardjohn 4 years ago
- Make jwt check resiliant to errors (#21609) Fixes https://github.com/istio/istio/issues/20946 — committed to istio/istio by howardjohn 4 years ago
- Make jwt check resiliant to errors (#21609) Fixes https://github.com/istio/istio/issues/20946 (cherry picked from commit 44bbe614da1455d12433de5d270b1faef5865da0) — committed to howardjohn/istio by howardjohn 4 years ago
- Make jwt check resiliant to errors (#21609) (#21621) Fixes https://github.com/istio/istio/issues/20946 (cherry picked from commit 44bbe614da1455d12433de5d270b1faef5865da0) — committed to istio/istio by howardjohn 4 years ago
We have also encountered this in a k3s cluster. How do we proceed?
K3s: 1.17.3+k3s1
Without
--force
flag Error: failed to apply manifests: failed to generate manifest: failed to determine JWT policy support. Use the --force flag to ignore this: Get https://127.0.0.1:6443/api?timeout=32s: x509: certificate signed by unknown authorityWith force flag Component Base - manifest apply returned the following errors: Error: resources not ready after 5m0s: Get https://127.0.01:6443/api/v1/namespaces/istio-system: x509: certificate signed by unknown authority