-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
High rate of error log messages in webhook #1479
Comments
Same problem here with GKE same version.. any hint? Repeatedly ask their permissions of [cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:05.866626 1 request.go:942] Request Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/apis/admission.certmanager.k8s.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:generic-garbage-collector","group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"status":{"allowed":false}}
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:05.866858 1 round_trippers.go:419] curl -k -v -XPOST -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: image.app_linux-amd64.binary/v0.0.0 (linux/amd64) kubernetes/$Format" -H "Authorization: Bearer ===REDACTED===" 'https://10.0.0.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews'
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:05.869323 1 round_trippers.go:438] POST https://10.0.0.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews 201 Created in 2 milliseconds
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:05.869344 1 round_trippers.go:444] Response Headers:
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:05.869349 1 round_trippers.go:447] Audit-Id: e88095a0-0270-4f61-8bde-084293fd77fd
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:05.869352 1 round_trippers.go:447] Content-Type: application/json
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:05.869355 1 round_trippers.go:447] Content-Length: 541
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:05.869358 1 round_trippers.go:447] Date: Tue, 19 Mar 2019 04:51:05 GMT
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:05.869396 1 request.go:942] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/apis/admission.certmanager.k8s.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:generic-garbage-collector","group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}}
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:05.869513 1 handler.go:143] admission-server: GET "/apis/admission.certmanager.k8s.io/v1beta1" satisfied by gorestful with webservice /apis/admission.certmanager.k8s.io/v1beta1
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:05.869649 1 wrap.go:47] GET /apis/admission.certmanager.k8s.io/v1beta1?timeout=32s: (3.560096ms) 200 [kube-controller-manager/v1.12.5 (linux/amd64) kubernetes/2c44750/system:serviceaccount:kube-system:generic-garbage-collector 10.138.0.5:36816]
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:11.017766 1 handler.go:143] admission-server: GET "/apis/admission.certmanager.k8s.io/v1beta1" satisfied by gorestful with webservice /apis/admission.certmanager.k8s.io/v1beta1
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:51:11.021882 1 wrap.go:47] GET /apis/admission.certmanager.k8s.io/v1beta1?timeout=32s: (4.44367ms) 200 [kube-apiserver/v1.12.5 (linux/amd64) kubernetes/2c44750 10.138.0.5:36816]
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:53:48.186497 1 authorization.go:73] Forbidden: "/", Reason: "no RBAC policy matched"
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:53:48.186614 1 wrap.go:47] GET /: (16.766106ms) 403 [Go-http-client/2.0 10.138.0.3:49012]
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:53:48.213175 1 authorization.go:73] Forbidden: "/", Reason: "no RBAC policy matched"
[cert-manager-webhook-6f58884b96-b4bxp] I0319 04:53:48.213302 1 wrap.go:47] GET /: (277.07µs) 403 [Go-http-client/2.0 10.138.0.3:49012]
... And webhook CA certificates warn that webhook issuers are not ready: kubectl describe certs -n cert-manager
Name: cert-manager-webhook-ca
Namespace: cert-manager
Labels: app=webhook
chart=webhook-v0.7.0
heritage=Tiller
release=cert-manager
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-03-19T04:39:54Z
Generation: 1
Resource Version: 3426022
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/cert-manager/certificates/cert-manager-webhook-ca
UID: 0a5d9d0a-4a01-11e9-9b57-42010a8a0078
Spec:
Common Name: ca.webhook.cert-manager
Duration: 43800h0m0s
Is CA: true
Issuer Ref:
Name: cert-manager-webhook-selfsign
Secret Name: cert-manager-webhook-ca
Status:
Conditions:
Last Transition Time: 2019-03-19T04:41:12Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2024-03-16T09:53:17Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning IssuerNotReady 4m cert-manager Issuer cert-manager-webhook-selfsign not ready
Name: cert-manager-webhook-webhook-tls
Namespace: cert-manager
Labels: app=webhook
chart=webhook-v0.7.0
heritage=Tiller
release=cert-manager
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Certificate
Metadata:
Creation Timestamp: 2019-03-19T04:39:54Z
Generation: 1
Resource Version: 3426017
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/cert-manager/certificates/cert-manager-webhook-webhook-tls
UID: 0a6ffb79-4a01-11e9-9b57-42010a8a0078
Spec:
Dns Names:
cert-manager-webhook
cert-manager-webhook.cert-manager
cert-manager-webhook.cert-manager.svc
Duration: 8760h0m0s
Issuer Ref:
Name: cert-manager-webhook-ca
Secret Name: cert-manager-webhook-webhook-tls
Status:
Conditions:
Last Transition Time: 2019-03-19T04:41:12Z
Message: Certificate is up to date and has not expired
Reason: Ready
Status: True
Type: Ready
Not After: 2020-03-17T09:53:22Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning IssuerNotReady 4m cert-manager Issuer cert-manager-webhook-ca not ready But issuers say they are ready: kubectl describe issuers -n cert-manager
Name: cert-manager-webhook-ca
Namespace: cert-manager
Labels: app=webhook
chart=webhook-v0.7.0
heritage=Tiller
release=cert-manager
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Issuer
Metadata:
Creation Timestamp: 2019-03-19T04:39:54Z
Generation: 1
Resource Version: 3426016
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/cert-manager/issuers/cert-manager-webhook-ca
UID: 0a860cfd-4a01-11e9-9b57-42010a8a0078
Spec:
Ca:
Secret Name: cert-manager-webhook-ca
Status:
Conditions:
Last Transition Time: 2019-03-19T04:41:12Z
Message: Signing CA verified
Reason: KeyPairVerified
Status: True
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal KeyPairVerified 7m (x3 over 7m) cert-manager Signing CA verified
Name: cert-manager-webhook-selfsign
Namespace: cert-manager
Labels: app=webhook
chart=webhook-v0.7.0
heritage=Tiller
release=cert-manager
Annotations: <none>
API Version: certmanager.k8s.io/v1alpha1
Kind: Issuer
Metadata:
Creation Timestamp: 2019-03-19T04:39:54Z
Generation: 1
Resource Version: 3426018
Self Link: /apis/certmanager.k8s.io/v1alpha1/namespaces/cert-manager/issuers/cert-manager-webhook-selfsign
UID: 0a98a1a6-4a01-11e9-9b57-42010a8a0078
Spec:
Self Signed:
Status:
Conditions:
Last Transition Time: 2019-03-19T04:41:12Z
Message:
Reason: IsReady
Status: True
Type: Ready
Events: <none> What is the problem? |
Same issue here w/ GKE |
😨 |
same here, using on GKE, latest K8S release, cert-manager 0.7.1 |
Similar situation here with cert-manager 0.7.2 on bare metal k8s v1.14.2 on Ubuntu 18.04.2 LTS (docker://18.6.3)
Installation followed exactly https://docs.cert-manager.io/en/latest/getting-started/install.html#installing-with-helm and was installing in a new namespace (cert-manager). |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
This has been addressed #1527 |
@JoshVanL: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Describe the bug:
The default recommended config of webhook has --v=12. This outputs several hundred messages/s.
Expected behaviour:
Under normal use no log messages are generated (e.g. log on exceptional or startup only)
Steps to reproduce the bug:
v0.7.0
GKE regional 3-master, 3 node.
The root of the issue is the check of / w/o the RBAC
event w/ --v=3 we end up with a lot (since those two messages above occur 9 times/s).
This is some sort of health (?) check from kubelet. The IP match the nodes.
There are 9
clusters
of messages per second.w/ the default of --v=12, we end up with more logs like this:
Anything else we need to know?:
Environment details::
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.4", GitCommit:"c27b913fddd1a6c480c229191a087698aa92f0b1", GitTreeState:"clean", BuildDate:"2019-02-28T13:37:52Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.5-gke.5", GitCommit:"2c44750044d8aeeb6b51386ddb9c274ff0beb50b", GitTreeState:"clean", BuildDate:"2019-02-01T23:53:25Z", GoVersion:"go1.10.8b4", Compiler:"gc", Platform:"linux/amd64"}
/kind bug
The text was updated successfully, but these errors were encountered: