kubernetes: Sporadic "MountVolume.SetUp failed for volume ... not registered" failures seen in 1.22.0-1.22.8, 1.23.0-1.23.5

I am using AWS EKS in version 1.22 and still seing this issue. Since AWS restricts which Kubernetes versions are available to upgrade to, I do not think I am able to just bump the version and benefit from this fix.

Is there a way to manually fix it while waiting for AWS to actually update the version on their end?

we experience the same issue on openshift 4.9.7 which is based on k8s 1.22.2. we are running a CronJob that mounts custom configmaps and secrets as volumes:

30m         Warning   FailedMount        pod/test-job--1-xmvbp                           MountVolume.SetUp failed for volume "ldap-bind-password" : object "ldap-group-syncer"/"ad-bind-password" not registered
30m         Warning   FailedMount        pod/test-job--1-xmvbp                           MountVolume.SetUp failed for volume "ldap-ca" : object "ldap-group-syncer"/"ldap-ca" not registered
30m         Warning   FailedMount        pod/test-job--1-xmvbp                           MountVolume.SetUp failed for volume "kube-api-access-rrdjh" : [object "ldap-group-syncer"/"kube-root-ca.crt" not registered, object "wuero-ldap-group-syncer"/"openshift-service-ca.crt" not registered]
30m         Warning   FailedMount        pod/test-job--1-xmvbp                           MountVolume.SetUp failed for volume "ldap-sync-volume" : object "ldap-group-syncer"/"ldap-group-syncer" not registered

so i think it’s not only related to kube-root-ca.crt.

the job runs fine, but we see the messages above in the events every time the job is triggered.

the just-released v1.22.9 and v1.23.6 include #107831 - are you able to reproduce the issue on those?

Able to build the k8s kind images myself. Here is how to build kind node image for kubernetes in case anyone interested.

• Confirmed v1.22.9 fixed this bug.

• Confirmed v1.23.6 also fixed this bug.

Thanks a lot for the quick fix!

@zetaab As a workaround, if you don’t need the service account token, then you can disable it using automountServiceAccountToken: false like this:

apiVersion: batch/v1
kind: CronJob
metadata:
  name: example
  namespace: gha-devcloud
spec:
  concurrencyPolicy: Forbid
  failedJobsHistoryLimit: 1
  jobTemplate:
    spec:
      activeDeadlineSeconds: 600
      backoffLimit: 3
      template:
        spec:
          containers:
          - image: busybox
            imagePullPolicy: Always
            name: guillotine
          dnsPolicy: ClusterFirst
          restartPolicy: OnFailure
          automountServiceAccountToken: false
      ttlSecondsAfterFinished: 180
  schedule: '*/1 * * * *'
  successfulJobsHistoryLimit: 3
  suspend: false

Also, I think the error message in the original issue description is only a warning, so the jobs are still running, just that you get this warning every time.

@zetaab , I executed the steps you provided. I agree with @cmssczy, this failure message is not related to namespace naming. I also got same mount error when I removed - from namespace;

Warning  FailedMount  37s (x3 over 38s)  kubelet            MountVolume.SetUp failed for volume "kube-api-access-dcxzs" : object "ghadevcloud"/"kube-root-ca.crt" not registered

@protosam btw 1.22.8 also does not have the fix introduced in https://github.com/kubernetes/kubernetes/pull/108754 , so likely it won’t fix this issue.

So there are two separate issues we are talking about:

1. configmap/secrets don’t get mounted and pod does not start correctly.
2. We see sporadic “not registered” errors in some cases where pods are deleted and volume-manager is still trying to mount the volume.AFAIK - while sporadic errors are not nice, but it does not prevent pod creation.

From what I can tell issue-1 should be fixed by - https://github.com/kubernetes/kubernetes/pull/107831 . It should no longer prevent any pod startup.

For issue-2 here - we will need https://github.com/kubernetes/kubernetes/pull/107824 or a version of it. But that issue in itself does not prevent pod creation (or deletion). If someone has a way to reproduce a failed pod creation after https://github.com/kubernetes/kubernetes/pull/108754 , please add those steps here.

I’m experiencing the same issue some times for the kube-root-ca.crt and always when the cron-job or the corresponding pod is mounting a configmap with a shell script in it. The warning appears on every run but the job itself runs successful.

My cron-job runs a shell script to update the digitalocean dns record for my domain.

Appears since I upgraded my baremetal k3s cluster to v1.22.3

My errors from above are on both v1.23.8+k3s1 as well as v1.24.2+k3s2, so not fixed.

So basically, the problem that seem to be referenced mostly in this issue (being the MountFailed event though happening during pod termination) seem to actually be a long-standing problem. And this is strictly related to: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/pod/pod_manager.go#L191-L196

And I think it’s a long-standing issue (maybe we are just triggerring the race more frequently because of some changes now, but I think it was always there).

The problem is that there is no coordination between where this function is called (processing pod/PLEG updates) and the volumemanager (that is simply calling GetPods() and processing the pods, which in the meantime could have been marked as terminated and thus unregistered).

TBH, I’m not yet sure how to fix it nicely. We can try not unregistering pods in that case and rely on the (already existing) mechanism that we stop watching if nothing is accessing given secrets/configmaps for some time. And unregistering will happen on Deletion. But I think this race (although much else probable because we ignore terminating pods and termination takes some time before deletion) exists also in delete path. So I’m wondering if we can make something better here.

same error.

Cronjob cannot get the kube-api-access volume.

While there was a distinct reproducible issue found and fixed already in v1.22.9+, v1.23.6+, and 1.24+, it seems like there is still another issue remaining that produces a similar symptom.

The comment at https://github.com/kubernetes/kubernetes/issues/105204#issuecomment-1264385137 hints that this message might be a symptom of a pod that is failing to start for some other reason.

It would be helpful if someone still observing this symptom in a reproducible way on a version >= 1.22.9, 1.23.6, or 1.24 could open a new issue to track that with the following info:

1. the version you are on
2. the scenario that reproduces the message
3. the impact (is it just an event/message? does it prevent pod startup? does it prevent pod teardown?)

That would help in gathering info related to any remaining issues that surface this message.

Could someone confirm or deny that the bug is fixed in 1.23.8 version?

I can confirm. Don‘t see it on v1.23.8+k3s1

the just-released v1.22.9 and v1.23.6 include https://github.com/kubernetes/kubernetes/pull/107831 - are you able to reproduce the issue on those?

@Morriz, the error observed in my output is still a valid bug that causes configmaps to be unreliable in v1.22.2 specifically and in my testing on k3s, the otomi installation process seems viable from what I’ve observed to replicate the issue in case someone needs to do so.

I’ve got some further testing to do on k3s 1.22.8 later, if I still see issues I will take you up on your offer to help directly, barring the configmap problem still existing. I rank the configmaps working higher than getting otomi installed/working.

@ianhundere can you include the install method and version for Kubernetes? Helps to just verify so it’s not assumed knowledge.

pgo           15s         Normal    Pulled                    pod/pgo-deploy--1-vs8h9                        Container image "registry.developers.crunchydata.com/crunchydata/pgo-deployer:centos8-4.7.1" already present on machine
pgo           15s         Normal    Created                   pod/pgo-deploy--1-vs8h9                        Created container pgo-deploy
pgo           15s         Normal    Started                   pod/pgo-deploy--1-vs8h9                        Started container pgo-deploy
pgo           15s         Normal    SuccessfulCreate          job/pgo-deploy                                 Created pod: pgo-deploy--1-vs8h9
pgo           12s         Warning   FailedMount               pod/pgo-deploy--1-vs8h9                        MountVolume.SetUp failed for volume "kube-api-access-gvtq4" : object "pgo"/"kube-root-ca.crt" not registered
pgo           12s         Warning   FailedMount               pod/pgo-deploy--1-vs8h9                        MountVolume.SetUp failed for volume "deployer-conf" : object "pgo"/"pgo-deployer-cm" not registered

using k3s on arm64

$ kubectl get all --all-namespaces
NAMESPACE     NAME                                          READY   STATUS      RESTARTS   AGE
kube-system   pod/coredns-96cc4f57d-qxp4k                   1/1     Running     0          56m
kube-system   pod/local-path-provisioner-84bb864455-9bs9t   1/1     Running     0          56m
kube-system   pod/helm-install-traefik-crd--1-kxtr2         0/1     Completed   0          56m
kube-system   pod/svclb-traefik-zkd9p                       2/2     Running     0          55m
kube-system   pod/helm-install-traefik--1-4dl5p             0/1     Completed   1          56m
kube-system   pod/metrics-server-ff9dbcb6c-qwfcq            1/1     Running     0          56m
kube-system   pod/traefik-56c4b88c4b-h4rvh                  1/1     Running     0          55m
pgo           pod/pgo-deploy--1-kqnkh                       0/1     Error       0          87s
pgo           pod/pgo-deploy--1-vs8h9                       0/1     Error       0          86s

NAMESPACE     NAME                     TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
default       service/kubernetes       ClusterIP      10.43.0.1      <none>        443/TCP                      56m
kube-system   service/kube-dns         ClusterIP      10.43.0.10     <none>        53/UDP,53/TCP,9153/TCP       56m
kube-system   service/metrics-server   ClusterIP      10.43.100.26   <none>        443/TCP                      56m
kube-system   service/traefik          LoadBalancer   10.43.96.254   10.0.2.15     80:32614/TCP,443:30614/TCP   55m

NAMESPACE     NAME                           DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
kube-system   daemonset.apps/svclb-traefik   1         1         1       1            1           <none>          55m

NAMESPACE     NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
kube-system   deployment.apps/coredns                  1/1     1            1           56m
kube-system   deployment.apps/local-path-provisioner   1/1     1            1           56m
kube-system   deployment.apps/metrics-server           1/1     1            1           56m
kube-system   deployment.apps/traefik                  1/1     1            1           55m

NAMESPACE     NAME                                                DESIRED   CURRENT   READY   AGE
kube-system   replicaset.apps/coredns-96cc4f57d                   1         1         1       56m
kube-system   replicaset.apps/local-path-provisioner-84bb864455   1         1         1       56m
kube-system   replicaset.apps/metrics-server-ff9dbcb6c            1         1         1       56m
kube-system   replicaset.apps/traefik-56c4b88c4b                  1         1         1       55m

NAMESPACE     NAME                                 COMPLETIONS   DURATION   AGE
kube-system   job.batch/helm-install-traefik-crd   1/1           24s        56m
kube-system   job.batch/helm-install-traefik       1/1           26s        56m
pgo           job.batch/pgo-deploy                 0/1           87s        87s

The fact that this is not easily reproducible in a way that prevents successful running of pods makes it seem like a race. Off the top of my head, some possibilities are:

• race between kubelet calling updatePodsInternal and kubelet setting up pod volumes
• race between kubelet removing one pod and adding another that both reference the same configmap (more prevalent in 1.22 with use of shared kube-root-ca.crt by all pods by default

A 1.22 control plane didn’t drive any new behavior in kubelets, but it would have made more use of shared configmap mounts because of the switch to projected service account tokens. An existing bug in 1.20+ kubelets could be exercised more

@zetaab ~Your manifest works fine for me on my 1.23.0-alpha cluster, even with a - in the namespace name, like you have.~ (EDIT: I tried this several days later and now I AM able to reproduce the error even when my namespace doesn’t have a dash. See my more recent comment).

We updated our cluster to 1.22.2

What version was your cluster previously?

I think this could somehow be related to the ServiceAccount admission controller and the Bound Service Account Token Volume.

There was a feature gate that graduated in 1.21 that is supposed to copy the kube-root-ca.crt ConfigMap to every namespace:

A ConfigMap containing a CA bundle used for verifying connections to the kube-apiserver. This feature depends on the RootCAConfigMap feature gate, which publishes a “kube-root-ca.crt” ConfigMap to every namespace. RootCAConfigMap feature gate is graduated to GA in 1.21 and default to true. (This flag will be removed from --feature-gate arg in 1.22)

I wonder if your namespace existed prior to 1.21, that maybe it never got the “kube-root-ca.crt” ConfigMap.

Do you have that ConfigMap in your gha-devcloud namespace?

$ kubectl get cm -A | grep kube-root-ca.crt
dash-test         kube-root-ca.crt                     1      128m
default           kube-root-ca.crt                     1      14d
gha-devcloud      kube-root-ca.crt                     1      121m
kube-node-lease   kube-root-ca.crt                     1      14d
kube-public       kube-root-ca.crt                     1      14d
kube-system       kube-root-ca.crt                     1      14d

If not, you might be able to trigger the rootcacertpublisher by updating your namespace, perhaps by adding an annotation (ie. kubectl annotate ns gha-devcloud foo=bar or something like that). I’m not sure if that will trigger the copy or not. If not, then maybe you can copy it there yourself from the default namespace.