-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cilium pod got Init:CreateContainerError
on Ubuntu 24.04, k8s 1.30
#32198
Comments
@orimanabu thank you for opening the GH issue. Can you try installing Cilium with:
|
Thank you for your quick response. |
@orimanabu can you send a sysdump for that installation? |
@orimanabu That sysdump doesn't containt he app armor in the daemonset indeed. I've tried it out in a kind cluster running with k8s 1.30 and I it seems that it's working for me:
|
I manually edit the DaemonSet and add appArmorProfile, but still no luck.
I'll destroy the cluster and recreate the whole cluster with |
can you also try |
I'm having the same problem with k8s v1.30. Writing "unconfined" instead of "Unconfined" doesn't work:
I'm on Debian 12. |
Same here, small 'u' didn't work.
|
I found the line that generates the error message. Don't know if it helps to solve the issue. As it's a line from CRI-O, I think, the issue only occurs, when using CRI-O as container runtime. Looks like "securityProfile" isn't set correctly. I'm on phone at the moment, but I think "Unconfined" isn't recognized correctly. |
Can you try with |
This works with some additional configuration:
Additionally I had to set "Unconfined" as CRI-O default AppArmor profile, else the agents fail.
As this affects the whole node, I wouldn't recommend it for production use. |
So cri-o doesn't have a default app armor profile set? |
It has:
https://github.com/cri-o/cri-o/blob/main/docs/crio.8.md But the profile blocks some things that cilium needs (some /proc things). So the cilium agent crashes. |
Cilium 1.16.0-pre.2 and CRI-O 1.30.0~dev-84.1 (Ubuntu 24.04, K8s 1.30), cilium ds w/"unconfined" annotations as expected:
However, despite Cilium's fix and CRI-O's fix that made it into 1.30.0 release, still seeing:
Only fix seems to be the above. |
Just set up a new cluster yesterday with latest cilium and cri-o. The issue is fixed for me. I don't have to set SecurityContexts or annotations for cilium. I'm just using the default values now. |
Resolved into CRI-O 1.31.0~dev-2.1 for me. |
Is there an existing issue for this?
What happened?
Cilium pod does not start and goes into
Init:CreateContainerError
.kubectl describe pod says:
Environment:
Note: control plane is Fedora 40.
Cilium Version
Kernel Version
Kubernetes Version
Regression
No response
Sysdump
cilium-sysdump-20240425-004439.zip
Relevant log output
Anything else?
No response
Cilium Users Document
Code of Conduct
The text was updated successfully, but these errors were encountered: