Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New seed bootstrap tokens cannot be created for existing seeds #4687

Closed
vpnachev opened this issue Sep 18, 2021 · 3 comments · Fixed by #4740
Closed

New seed bootstrap tokens cannot be created for existing seeds #4687

vpnachev opened this issue Sep 18, 2021 · 3 comments · Fixed by #4740
Assignees
@rfranzke
Labels
area/ops-productivity Operator productivity related (how to improve operations) area/robustness Robustness, reliability, resilience related kind/bug Bug priority/3 Priority (lower number equals higher priority)

Comments

@vpnachev
Copy link
Member

How to categorize this issue?

/area robustness ops-productivity
/kind bug
/priority 3

What happened:
The client certificate of one of the managedseed clusters has expired and it has not been renewed on purpose.
Then, the parent gardenlet can create new bootstrap token and let the child seed use it to request new certificate. According to the code

gardener/pkg/gardenlet/controller/managedseed/managedseed_actuator.go

Lines 687 to 694 in 981aa35

isAlreadyBootstrapped, err := isAlreadyBootstrapped(ctx, shootClient.Client(), gcc.KubeconfigSecret)
if err != nil {
return "", err
}
if isAlreadyBootstrapped {
return "", nil
}
, to trigger this action the secret from gardenClientConnection.kubeconfigSecret of the child seeds must not exist. I have deleted it, but then the parent gardenlet is failing to generate the token with error like

could not deploy gardenlet into shoot garden/foo: secrets "bootstrap-token-5111ca" is forbidden: User "gardener.cloud:system:seed:bar" cannot get resource "secrets" in API group "" in the namespace "kube-system": no relationship found between seed ''bar' and this object

This gardener landscape has the SeedAuthorizer enabled and it is indeed rejecting the request with

{"level":"info","ts":"2021-09-18T06:46:45.704Z","logger":"seedauthorizer","msg":"SEED DENY: 'bar' authorizer.AttributesRecord{User:(*user.DefaultInfo)(0xc001db1e40), Verb:\"get\", Namespace:\"kube-system\", APIGroup:\"\", APIVersion:\"v1\", Resource:\"secrets\", Subresource:\"\", Name:\"bootstrap-token-5111ca\", ResourceRequest:true, Path:\"\"}"}

What you expected to happen:
A new bootstrap token to be successfully generated and gardenlet re-deployed.

How to reproduce it (as minimally and precisely as possible):

Anything else we need to know?:

Environment:

  • Gardener version: 981aa35
  • Kubernetes version (use kubectl version):
  • Cloud provider or hardware configuration:
  • Others:
@vpnachev vpnachev added the kind/bug Bug label Sep 18, 2021
@gardener-robot gardener-robot added area/ops-productivity Operator productivity related (how to improve operations) area/robustness Robustness, reliability, resilience related priority/3 Priority (lower number equals higher priority) labels Sep 18, 2021
@rfranzke
Copy link
Member

There is no way to know for the SeedAuthorizer that the gardenlet's client certificate might be expired. We might want to think about an annotation which can be set by an operator to allow such calls again.

@rfranzke
Copy link
Member

/assign

@timebertt
Copy link
Member

This gist provides a script to manually rebootstrap an existing seed as a workaround for this issue.

@rfranzke rfranzke mentioned this issue Sep 28, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rfranzke rfranzke

Labels
area/ops-productivity Operator productivity related (how to improve operations) area/robustness Robustness, reliability, resilience related kind/bug Bug priority/3 Priority (lower number equals higher priority)
Projects
None yet
Milestone
No milestone
4 participants
@vpnachev @rfranzke @timebertt @gardener-robot