Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proxy is configured for K8S components after upgrade-cluster.yml #7100

Closed
champtar opened this issue Jan 5, 2021 · 0 comments · Fixed by #7095
Closed

Proxy is configured for K8S components after upgrade-cluster.yml #7100

champtar opened this issue Jan 5, 2021 · 0 comments · Fixed by #7095
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@champtar
Copy link
Contributor

champtar commented Jan 5, 2021

After upgrade (upgrade-cluster.yml) proxy variables are set for K8S components,
they are not set after install (cluster.yml) and should not be set as K8S doesn't need to talk to the outside world

# grep -ri _proxy /etc
/etc/kubernetes/manifests/kube-apiserver.yaml:    - name: NO_PROXY
/etc/kubernetes/manifests/kube-apiserver.yaml:    - name: no_proxy
/etc/kubernetes/manifests/kube-apiserver.yaml:    - name: HTTP_PROXY
/etc/kubernetes/manifests/kube-apiserver.yaml:    - name: http_proxy
/etc/kubernetes/manifests/kube-apiserver.yaml:    - name: HTTPS_PROXY
/etc/kubernetes/manifests/kube-apiserver.yaml:    - name: https_proxy
/etc/kubernetes/manifests/kube-controller-manager.yaml:    - name: NO_PROXY
/etc/kubernetes/manifests/kube-controller-manager.yaml:    - name: no_proxy
/etc/kubernetes/manifests/kube-controller-manager.yaml:    - name: HTTP_PROXY
/etc/kubernetes/manifests/kube-controller-manager.yaml:    - name: http_proxy
/etc/kubernetes/manifests/kube-controller-manager.yaml:    - name: HTTPS_PROXY
/etc/kubernetes/manifests/kube-controller-manager.yaml:    - name: https_proxy
/etc/kubernetes/manifests/kube-scheduler.yaml:    - name: NO_PROXY
/etc/kubernetes/manifests/kube-scheduler.yaml:    - name: no_proxy
/etc/kubernetes/manifests/kube-scheduler.yaml:    - name: HTTP_PROXY
/etc/kubernetes/manifests/kube-scheduler.yaml:    - name: http_proxy
/etc/kubernetes/manifests/kube-scheduler.yaml:    - name: HTTPS_PROXY
/etc/kubernetes/manifests/kube-scheduler.yaml:    - name: https_proxy

This actually causes issues with webhooks like ingress-nginx

Error: Internal error occurred: failed calling webhook "validate.nginx.ingress.kubernetes.io": Post https://ingress-nginx-controller-admission.ingress-nginx.svc:443/networking/v1beta1/ingresses?timeout=10s: Service Unavailable

Environment:

  • Cloud provider or hardware configuration:
    qemu/kvm/libvirt VMs

  • OS (printf "$(uname -srm)\n$(cat /etc/os-release)\n"):
    Linux 4.18.0-240.1.1.el8_3.x86_64 x86_64
    NAME="CentOS Linux"
    VERSION="8"

  • Version of Ansible (ansible --version):
    ansible 2.9.16

  • Version of Python (python --version):
    Python 3.9.1

Kubespray version (commit) (git rev-parse --short HEAD):
c0fe32c

Network plugin used:
Calico

Full inventory with variables (ansible -i inventory/sample/inventory.ini all -m debug -a "var=hostvars[inventory_hostname]"):
containerd / etcd host

Command used to invoke ansible:
ansible-playbook -i ../ansible-inventories/kubespray/inventory-sj150-master/inventory.ini upgrade-cluster.yml

Output of ansible run:

Anything else do we need to know:
Already working on it in #7095
@champtar champtar added the kind/bug Categorizes issue or PR as related to a bug. label Jan 5, 2021
This was referenced Jan 5, 2021
Merged
Merged
champtar added a commit to champtar/kubespray that referenced this issue Jan 7, 2021
@champtar
Only setup *_PROXY env variables where needed
e1a172a 
no_proxy is a pain to get right, and having proxy variables present causes issues
(k8s components get proxy configuration after upgrade, see kubernetes-sigs#7100)

It's better to only configure what require proxy:
- the runtime (containerd/docker/crio)
- the package manager + apt_key
- the download tasks

Tested with the following clusters
- 4 CentOS 8 nodes
- 1 Ubuntu 20.04 node

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
k8s-ci-robot pushed a commit that referenced this issue Jan 11, 2021
@champtar
Only setup *_PROXY env variables where needed (#7095)
a790935 
no_proxy is a pain to get right, and having proxy variables present causes issues
(k8s components get proxy configuration after upgrade, see #7100)

It's better to only configure what require proxy:
- the runtime (containerd/docker/crio)
- the package manager + apt_key
- the download tasks

Tested with the following clusters
- 4 CentOS 8 nodes
- 1 Ubuntu 20.04 node

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
LuckySB pushed a commit to southbridgeio/kubespray that referenced this issue Feb 1, 2021
@champtar @LuckySB
Only setup *_PROXY env variables where needed (kubernetes-sigs#7095)
502230f 
no_proxy is a pain to get right, and having proxy variables present causes issues
(k8s components get proxy configuration after upgrade, see kubernetes-sigs#7100)

It's better to only configure what require proxy:
- the runtime (containerd/docker/crio)
- the package manager + apt_key
- the download tasks

Tested with the following clusters
- 4 CentOS 8 nodes
- 1 Ubuntu 20.04 node

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Rework proxy support champtar/kubespray
1 participant
@champtar