Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to create a Shoot when ManagedIstio and APIServerSNI feature gates are disabled #536

Open
ialidzhikov opened this issue Apr 19, 2022 · 0 comments
Open

Unable to create a Shoot when ManagedIstio and APIServerSNI feature gates are disabled #536

ialidzhikov opened this issue Apr 19, 2022 · 0 comments
Labels
area/quality Output qualification (tests, checks, scans, automation in general, etc.) related kind/bug Bug lifecycle/rotten Nobody worked on this for 12 months (final aging stage) platform/aws Amazon web services platform/infrastructure

Comments

@ialidzhikov
Copy link
Member

/area quality
/kind bug
/platform aws

What happened:
It is currently not possible to create a Shoot with aws-lb-readvertiser (ManagedIstio and APIServerSNI feature gates are disabled).

What you expected to happen:
To be able to create a Shoot when ManagedIstio and APIServerSNI feature gates are disabled.

How to reproduce it (as minimally and precisely as possible):

  1. Start gardenlet with ManagedIstio and APIServerSNI feature gates are disabled.

  2. Create a Shoot.

  3. Make sure that the Shoot creation fails while waiting the VPN connection to be established.

After investigation we see that the kubernetes.default svc does not have any endpoint:

$ k get svc
NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.223.0.1   <none>        443/TCP   6m1s

$ k get ep
No resources found in default namespace.

Logs of aws-lb-readvertiser:

E0419 12:42:48.181163       1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:kube-system:aws-lb-readvertiser" cannot list resource "endpoints" in API group "" at the cluster scope
E0419 12:43:24.612774       1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:kube-system:aws-lb-readvertiser" cannot list resource "endpoints" in API group "" at the cluster scope
E0419 12:44:06.036715       1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:kube-system:aws-lb-readvertiser" cannot list resource "endpoints" in API group "" at the cluster scope
E0419 12:44:45.580903       1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:kube-system:aws-lb-readvertiser" cannot list resource "endpoints" in API group "" at the cluster scope
E0419 12:45:29.654929       1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:kube-system:aws-lb-readvertiser" cannot list resource "endpoints" in API group "" at the cluster scope
E0419 12:46:08.150211       1 reflector.go:178] k8s.io/client-go/informers/factory.go:135: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:kube-system:aws-lb-readvertiser" cannot list resource "endpoints" in API group "" at the cluster scope

Anything else we need to know?:

Environment:

  • Gardener version (if relevant):
  • Extension version: v1.34.4
  • Kubernetes version (use kubectl version):
  • Cloud provider or hardware configuration:
  • Others:
@ialidzhikov ialidzhikov added the kind/bug Bug label Apr 19, 2022
@gardener-robot gardener-robot added area/quality Output qualification (tests, checks, scans, automation in general, etc.) related platform/aws Amazon web services platform/infrastructure labels Apr 19, 2022
@gardener-robot gardener-robot added the lifecycle/stale Nobody worked on this for 6 months (will further age) label Oct 17, 2022
@ialidzhikov ialidzhikov mentioned this issue Dec 9, 2022
Merged
@gardener-robot gardener-robot added lifecycle/rotten Nobody worked on this for 12 months (final aging stage) and removed lifecycle/stale Nobody worked on this for 6 months (will further age) labels Jun 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/quality Output qualification (tests, checks, scans, automation in general, etc.) related kind/bug Bug lifecycle/rotten Nobody worked on this for 12 months (final aging stage) platform/aws Amazon web services platform/infrastructure
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ialidzhikov @gardener-robot