-
Notifications
You must be signed in to change notification settings - Fork 6.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm injects broken no_proxy environment variables into /etc/kubernetes/manifests/kube-*.yaml #6250
Comments
I worked around the issue with the following patch which I use on my private fork but I welcome a proper PR for this issue. $ git diff HEAD^
diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml
index d3412855..cb840811 100644
--- a/roles/kubernetes/master/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml
@@ -150,6 +150,12 @@
failed_when: kubeadm_init.rc != 0 and "field is immutable" not in kubeadm_init.stderr
environment:
PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}"
+ http_proxy: "{{ http_proxy | default('') }}"
+ HTTP_PROXY: "{{ http_proxy | default('') }}"
+ https_proxy: "{{ https_proxy | default('') }}"
+ HTTPS_PROXY: "{{ https_proxy | default('') }}"
+ no_proxy: "{{ no_proxy | default('') }}"
+ NO_PROXY: "{{ no_proxy | default('') }}"
notify: Master | restart kubelet
- name: set kubeadm certificate key |
Great job! I have the same issue, but your workaround doesn't help me. I don't use proxy, but have the same message from metrics-server, like you. Have you any idea, how to fix this? |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle rotten |
Bug description
When deploying k8s cluster with kubespray on proxy environments, the "kubeadm | Initialize first master" task does not pass ansible proxy environment variables to
kubeadm init
, resulting inkubeadm init
generating files in /etc/kubernetes/manifests/kube-*.yaml with broken proxy environment variables.In particular, the
no_proxy
value injected bykubeadm init
does not include the kube_pod_subnet and kube_service_addresses ranges, resulting in the apiserver trying to use the proxy to contact services/pods running on the internal cluster. This breaks use of custom apiservices such as the metrics server or the prometheus adapter.How to reproduce
First, setup the inventory:
http_proxy=http://10.0.3.84:3128
andhttps_proxy=http://10.0.3.84:3128
(replace with the actual http proxy URL)metrics_server_enabled=true
Before provisioning the target nodes, pre-populate the /etc/profile.d/proxy.sh file on each node so that shell commands are aware of the http proxy :
Finally, run ansible to provision the k8s cluster as usual. Provisioning should succeed (see https://gist.github.com/jperville/ea721eb1d3bf877345fc91fbcda88a58#file-02-ansible-log ).
However if we check the output of
kubectl get apiservices
we can see that the metrics server is broken.The reason is that kube-apiserver tries to go through the https_proxy to contact the apiservice pod using its cluster ip . Since the ip is not listed in the kube-apiserver no_proxy environment variable the trafic goes nowhere.
This can be seen by checking the no_proxy environment variable value in /etc/kubernetes/manifests/kube-*.yaml :
To compare, the docker/crio systemd override has the proper value (which includes the kube_pod_subnet and kube_kube_service_addresses ranges) for no_proxy:
Environment
Running ansible from Ubuntu 18.04 workstation to provision k8s on a Vagrant VM running Centos 7.
printf "$(uname -srm)\n$(cat /etc/os-release)\n"
):ansible --version
):python --version
):Python 2.7.17
Kubespray version (commit) (
git rev-parse --short HEAD
):81292f9c
Network plugin used: calico
Full inventory with variables (
ansible -i inventory/sample/inventory.ini all -m debug -a "var=hostvars[inventory_hostname]"
): See https://gist.github.com/jperville/ea721eb1d3bf877345fc91fbcda88a58#file-01-ansible-varsCommand used to invoke ansible:
Output of ansible run:
See https://gist.github.com/jperville/ea721eb1d3bf877345fc91fbcda88a58#file-02-ansible-log
The text was updated successfully, but these errors were encountered: