kubernetes: kube-proxy/node-proxier clusterrole broken in 1.8

Is this a BUG REPORT or FEATURE REQUEST?: BUG /kind bug

What happened: After upgrading from v1.7.5 to v1.8.0, my kube-proxies (running as static pods) stopped working. kube-proxy log shows:

E1004 13:09:44.836719       1 reflector.go:205] k8s.io/kubernetes/pkg/client/informers/informers_generated/internalversion/factory.go:73: Failed to list *api.Endpoints: endpoints is forbidden: User "system:node-proxier" cannot list endpoints at the cluster scope

What you expected to happen: It should be able to get necessary information to operate

How to reproduce it (as minimally and precisely as possible): Create kube-proxy certs with the following title: /CN=system:node-proxier/O=system:node-proxier

Anything else we need to know?: I tried the following combinations with the same results: CN=system:node-proxier/O=system:node-proxier CN=kube-proxy/O=system:node-proxier CN=system:node-proxier:nodeID/O=system:node-proxier

Environment:

  • Kubernetes version (use kubectl version): v1.8.0
  • Cloud provider or hardware configuration**: none
  • OS (e.g. from /etc/os-release): Ubuntu
  • Kernel (e.g. uname -a):
  • Install tools: kubespray
  • Others:

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 16 (10 by maintainers)

Most upvoted comments

The correct cert subject is CN=system:kube-proxy/O=system:node-proxier

+1
mattymo on Oct 4, 2017
Read more comments on GitHub
← kubernetes: Kube-proxy/ipvs;Frequently cannot simultaneous access clusterip and endpoint ip(real server) in pod
kubernetes: kube-push.sh is broken →