kubernetes: kubelet fails when cloudprovider openstack is used and should manage loadbalancer security group
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug @kubernetes/sig-openstack
What happened:
kubelet fails when Kubernetes master gets started using cloud-provider openstack und kubeadm init command. journalctl -u kubelet.service says:
kubelet[4653]: I0111 09:10:41.745501 4653 feature_gate.go:220] feature gates: &{{} map[]}
kubelet[4653]: I0111 09:10:41.746039 4653 controller.go:114] kubelet config controller: starting controller
kubelet[4653]: I0111 09:10:41.746343 4653 controller.go:118] kubelet config controller: validating combination of defaults and flags
kubelet[4653]: W0111 09:10:41.765718 4653 cni.go:171] Unable to update cni config: No networks found in /etc/cni/net.d
kubelet[4653]: I0111 09:10:41.771503 4653 server.go:182] Version: v1.9.1
kubelet[4653]: I0111 09:10:41.771577 4653 feature_gate.go:220] feature gates: &{{} map[]}
kubelet[4653]: error: failed to run Kubelet: could not init cloud provider "openstack": warning:
kubelet[4653]: can't store data at section "LoadBalancer", variable "node-security-group"
systemd[1]: kubelet.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: kubelet.service: Unit entered failed state.
systemd[1]: kubelet.service: Failed with result 'exit-code'.
What you expected to happen:
kubelet starts and manages the loadbalancer and its security group.
How to reproduce it (as minimally and precisely as possible):
Setup an instance on Openstack. Place the following cloud-config in /etc/kubernetes/pki/cloud-config
[Global]
username=***
password=***
auth-url=https://identity.***/v3
tenant-id=***
domain-id=default
[LoadBalancer]
subnet-id=38264923-c60c-48cb-a146-1c707b2b5b8d
create-monitor=true
monitor-delay=10s
monitor-timeout=2000s
monitor-max-retries=3
manage-security-groups=true
node-security-group=cf73c410-7b8c-4e84-95f1-5c42ee8b09f7
And /etc/kubernetes/kubeadm.yaml:
apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
kubernetesVersion: v1.9.0
cloudProvider: openstack
apiServerExtraArgs:
cloud-config: /etc/kubernetes/pki/cloud-config
controllerManagerExtraArgs:
cloud-config: /etc/kubernetes/pki/cloud-config
As well as /etc/systemd/system/kubelet.service.d/10-kubeadm.conf:
[Service]
Environment="KUBELET_EXTRA_ARGS=--cloud-provider=openstack --cloud-config=/etc/kubernetes/pki/cloud-config"
Environment="KUBELET_KUBECONFIG_ARGS=--bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --kubeconfig=/etc/kubernetes/kubelet.conf"
Environment="KUBELET_SYSTEM_PODS_ARGS=--pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true"
Environment="KUBELET_NETWORK_ARGS=--network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
Environment="KUBELET_DNS_ARGS=--cluster-dns=10.96.0.10 --cluster-domain=cluster.local"
Environment="KUBELET_AUTHZ_ARGS=--authorization-mode=Webhook --client-ca-file=/etc/kubernetes/pki/ca.crt"
Environment="KUBELET_CADVISOR_ARGS=--cadvisor-port=0"
Environment="KUBELET_CERTIFICATE_ARGS=--rotate-certificates=true --cert-dir=/var/lib/kubelet/pki"
ExecStart=
ExecStart=/usr/bin/kubelet $KUBELET_KUBECONFIG_ARGS $KUBELET_SYSTEM_PODS_ARGS $KUBELET_NETWORK_ARGS $KUBELET_DNS_ARGS $KUBELET_AUTHZ_ARGS $KUBELET_CADVISOR_ARGS $KUBELET_CERTIFICATE_ARGS $KUBELET_EXTRA_ARGS
Run:
sudo systemctl daemon-reload
sudo sysctl net.bridge.bridge-nf-call-iptables=1
sudo kubeadm init --config /etc/kubernetes/kubeadm.yaml > kubeadm.log
For further information:
openstack subnet show 38264923-c60c-48cb-a146-1c707b2b5b8d
+-------------------+--------------------------------------+
| Field | Value |
+-------------------+--------------------------------------+
| allocation_pools | 192.168.0.2-192.168.0.254 |
| cidr | 192.168.0.0/24 |
| created_at | 2018-01-11T08:58:13Z |
| description | |
| dns_nameservers | 8.8.8.8 |
| enable_dhcp | True |
| gateway_ip | 192.168.0.1 |
| host_routes | |
| id | 38264923-c60c-48cb-a146-1c707b2b5b8d |
| ip_version | 4 |
| ipv6_address_mode | None |
| ipv6_ra_mode | None |
| name | idcp-subnet |
| network_id | ecec1d3c-cd2b-4be1-86cc-99ed50be4ca2 |
| project_id | a53498e42330492b8d4e335abbac17cb |
| revision_number | 2 |
| segment_id | None |
| service_types | |
| subnetpool_id | None |
| tags | |
| updated_at | 2018-01-11T08:58:13Z |
+-------------------+--------------------------------------+
openstack security group show cf73c410-7b8c-4e84-95f1-5c42ee8b09f7
+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at | 2018-01-11T08:58:07Z |
| description | kubernetes loadbalancer security group |
| id | cf73c410-7b8c-4e84-95f1-5c42ee8b09f7 |
| name | idcp-k8s-loadbalancer |
| project_id | a53498e42330492b8d4e335abbac17cb |
| revision_number | 5 |
| rules | created_at='2018-01-11T08:58:07Z', direction='egress', ethertype='IPv4', id='12208e2d-ed36-4815-8a07-688b66adbcd7', revision_number='1', updated_at='2018-01-11T08:58:07Z' |
| | created_at='2018-01-11T08:58:07Z', direction='egress', ethertype='IPv6', id='75ecfee2-1e95-4201-853d-c62cbb89e11d', revision_number='1', updated_at='2018-01-11T08:58:07Z' |
| | created_at='2018-01-11T09:08:36Z', direction='ingress', ethertype='IPv4', id='77cc3d8f-6cbc-4562-bf18-673f19003ca9', protocol='icmp', remote_ip_prefix='0.0.0.0/0', revision_number='1', updated_at='2018-01-11T09:08:36Z' |
| | created_at='2018-01-11T09:08:37Z', direction='ingress', ethertype='IPv4', id='4676c190-51b5-4b2c-b35a-d5762ad0c65e', port_range_max='443', port_range_min='443', protocol='tcp', remote_ip_prefix='0.0.0.0/0', revision_number='1', updated_at='2018-01-11T09:08:37Z' |
| | created_at='2018-01-11T09:08:37Z', direction='ingress', ethertype='IPv4', id='7b126e96-5fa7-454b-a9eb-ae11b07a71b5', port_range_max='80', port_range_min='80', protocol='tcp', remote_ip_prefix='0.0.0.0/0', revision_number='1', updated_at='2018-01-11T09:08:37Z' |
| updated_at | 2018-01-11T09:08:37Z |
+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Environment:
- Kubernetes version (use
kubectl version): 1.9.1 - Cloud provider or hardware configuration: Openstack
- OS (e.g. from /etc/os-release): Ubuntu 16.04.3 LTS
- Kernel (e.g.
uname -a): x86_64 - Install tools: kubeadm
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 2
- Comments: 33 (4 by maintainers)
Commits related to this issue
- The lbaas.opts.SubnetId should be set by subnet id. Fix #58145 The getSubnetIDForLB() should return subnet id rather than net id. — committed to FengyunPan/kubernetes by FengyunPan2 6 years ago
- Merge pull request #58208 from FengyunPan/fix-autoprobe-subnet Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="htt... — committed to kubernetes/kubernetes by deleted user 6 years ago
- The lbaas.opts.SubnetId should be set by subnet id. Fix #58145 The getSubnetIDForLB() should return subnet id rather than net id. — committed to FengyunPan/kubernetes by FengyunPan2 6 years ago
- The lbaas.opts.SubnetId should be set by subnet id. Fix #58145 The getSubnetIDForLB() should return subnet id rather than net id. — committed to FengyunPan/kubernetes by FengyunPan2 6 years ago
- Fix non-interface type ErrResourceNotFound on left Related to #58145 The gophercloud.ErrResourceNotFound is not a interface, so should use reflect to get its type then do a check. — committed to FengyunPan/kubernetes by FengyunPan2 6 years ago
- Merge pull request #58560 from FengyunPan/fix-ErrResourceNotFound Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="... — committed to kubernetes/kubernetes by deleted user 6 years ago
- The lbaas.opts.SubnetId should be set by subnet id. Fix #58145 The getSubnetIDForLB() should return subnet id rather than net id. — committed to dims/kubernetes by FengyunPan2 6 years ago
- Merge pull request #58208 from FengyunPan/fix-autoprobe-subnet Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="htt... — committed to dims/kubernetes by deleted user 6 years ago
- Fix non-interface type ErrResourceNotFound on left Related to #58145 The gophercloud.ErrResourceNotFound is not a interface, so should use reflect to get its type then do a check. — committed to dims/kubernetes by FengyunPan2 6 years ago
- Merge pull request #58560 from FengyunPan/fix-ErrResourceNotFound Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="... — committed to dims/kubernetes by deleted user 6 years ago
- Merge pull request #65373 from multi-io/openstack_lbaas_node_secgroup_fix Automatic merge from submit-queue (batch tested with PRs 65449, 65373, 49410). If you want to cherry-pick this change to anot... — committed to kubernetes/kubernetes by deleted user 6 years ago
- Enable security group management in OpenStack cloud provider When the OpenStack cloud provider is enabled, all cloud load balancer instances created to reflect LoadBalancer type services are automati... — committed to stefannica/skuba by stefannica 4 years ago
- [terraform] Enable security group management in CPI config When the OpenStack cloud provider is enabled, all cloud load balancer instances created to reflect LoadBalancer type services are automatica... — committed to stefannica/skuba by stefannica 4 years ago
- [caasp4os] Enable security group management in CPI config When the OpenStack cloud provider is enabled, all cloud load balancer instances created to reflect LoadBalancer type services are automatical... — committed to stefannica/catapult by stefannica 4 years ago
- [terraform] Enable security group management in CPI config (#1182) When the OpenStack cloud provider is enabled, all cloud load balancer instances created to reflect LoadBalancer type services are ... — committed to SUSE/skuba by stefannica 4 years ago
@FengyunPan Any updates on this?
@FengyunPan I just tried to use this feature in kubernetes 1.10.2 and it still seems to be broken. The security groups do not get created and the service creation is stuck at pending without an ip address. I used this configuration and i also tried all the alternatives listed here.
Either nothing gets created or the controller-manager crashes if i add node-security-group.
Hi, how is going? I’ve deployed k8s 1.9.5 on OpenStack with kubespray and I’m struggling with this issue. If I do not set
manage-security-groupsornode-security-groupthe LBAAS is created but it’s not assigned to any Security Group. So, the service is not reachable from the outside world. I can fix it by hand creating the Security Group and assign it to the VIP. If I do setnode-security-groupkubelet fails to start. According to docs it’s a valid parameter… (?) And finally, if I do as @krlng in his last comment, the LBAAS remains in a PENDING state forever… Well, I wonder if there is any workaround to deal with this… I presume you’re working on the fix, aren’t you? Any information will be appreciate. Thanks@ishaniGupta27 I ran into the same issue. It seems to be related to how k8’s openstack driver deals with adding floating ips to the LB. For now I set the lb to internal in the service metadata then manually associate a floating ip . This could also be a queens magnum issue not providing all required cloud config info. I am not sure yet.
@nordri I’m hitting the same issue as yours with openstack loadbalancer with 1.9.4. Anyone know if https://github.com/kubernetes/kubernetes/pull/58560 fixes this issue? If so, when will it be part of a release?
Oh, I see. Oops, should get ‘sub network id’, not ‘network id’. I will fix it soon.
@FengyunPan Can you please comment?
/assign @FengyunPan