istio: JWT error during manifest apply

$ go run istioctl/cmd/istioctl/main.go manifest apply
This will install the default Istio profile into the cluster. Proceed? (y/N) y
Error: failed to generate and apply manifests, error: failed to generate manifest: failed to determine JWT policy support. Use the --force flag to ignore this: unable to retrieve the complete list of server APIs: metrics.k8s.io/v1beta1: the server is currently unable to handle the request
exit status 1

This is with a 1.14 cluster. Not sure if it’s a k8s version problem because the k8s version check claims that >=1.14 is supported. Regardless, this message is fine for logging but not suitable as a high level user message.

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 16 (8 by maintainers)

Commits related to this issue

Most upvoted comments

We have also encountered this in a k3s cluster. How do we proceed?

K3s: 1.17.3+k3s1

Without --force flag Error: failed to apply manifests: failed to generate manifest: failed to determine JWT policy support. Use the --force flag to ignore this: Get https://127.0.0.1:6443/api?timeout=32s: x509: certificate signed by unknown authority

With force flag Component Base - manifest apply returned the following errors: Error: resources not ready after 5m0s: Get https://127.0.01:6443/api/v1/namespaces/istio-system: x509: certificate signed by unknown authority