linkerd2: Unable to use Linkerd-CNI

What is the issue?

When Linkerd is installed with CNI enabled, Pod sandboxes fail to create.

How can it be reproduced?

linkerd install-cni | kubectl apply -f -
linkerd install --linkerd-cni-enabled | kubectl apply -f -

Logs, error output, etc

  Normal   Scheduled               37s   default-scheduler  Successfully assigned linkerd/linkerd-destination-54c8fb86c8-gwz6k to talos-192-168-122-140
  Warning  FailedCreatePodSandBox  36s   kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "c0b4a8286046ccbfd565b4d74731bd12b43b5a6b5ad43558f5d3f30d198ad517": plugin type="linkerd-cni" name="linkerd-cni" failed (add): exec: "nsenter": executable file not found in $PATH
  Warning  FailedCreatePodSandBox  25s   kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "bb75adddf6aa1a08bf372c422257b5fcf70c5aa4d510a78f82c5c17f361b3c55": plugin type="linkerd-cni" name="linkerd-cni" failed (add): exec: "nsenter": executable file not found in $PATH
  Warning  FailedCreatePodSandBox  9s    kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "5f159b05d91979644c44d84aa8f384295721e42e8802439649f6a9cbaeef7c2f": plugin type="linkerd-cni" name="linkerd-cni" failed (add): exec: "nsenter": executable file not found in $PATH

output of linkerd check -o short

Linkerd core checks
===================

linkerd-existence
-----------------
× control plane pods are ready
    No running pods for "linkerd-destination"
    see https://linkerd.io/2/checks/#l5d-api-control-ready for hints

Status check results are ×

Environment

  • Kubernetes Version: v1.23.3
  • Cluster Environment: Bare metal
  • Host OS: Talos v0.15.0-alpha.2
  • Linkerd version: edge-22.2.2

Possible solution

No response

Additional context

Using Cilium as the CNI. Using Flannel makes no difference.

This happens both on amd64 in a VM and arm64 on Raspberry Pis.

My goal is to improve app start time by using the CNI plugin instead of the init containers.

If I run

linkerd upgrade --linkerd-cni-enabled=false | kubectl apply -f -

the CNI isn’t used, and Linkerd Pods return back healthly.

Would you like to work on fixing this bug?

No response

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 5
  • Comments: 17 (6 by maintainers)

Most upvoted comments

For the record, yup, we are looking into this…

+3
kflynn on Oct 26, 2023
Read more comments on GitHub
← linkerd2: Transient OpenSSL errors when Linkerd is injected (no peer certificate available) (SSLv3/TLS write client hello)
linkerd2: Unexpected behavior change on ingress injected pods in v2.13.x →