Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failed to create load balancer: User "system:kube-controller-manager" cannot create configmaps in the namespace "kube-system". #425

Closed
Dirbaio opened this issue Sep 6, 2017 · 10 comments · Fixed by kubernetes/kubernetes#52376
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@Dirbaio
Copy link

Dirbaio commented Sep 6, 2017

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Versions

kubeadm version 1.7.5

Environment:

  • Kubernetes version 1.7.5
  • Cloud provider or hardware configuration: GCE (with multizone on)
  • OS Ubuntu 16.04
  • Kernel Linux vk-prod4-master 4.10.0-32-generic The discovery interface in the API needs to be refactored #36~16.04.1-Ubuntu SMP Wed Aug 9 09:19:02 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
  • Others: Calico networking

What happened?

  • Deployed k8s master like this:
cat > kubeadm.yaml <<EOF
apiVersion: kubeadm.k8s.io/v1alpha1
kind: MasterConfiguration
api:
  advertiseAddress: $MASTER_HOSTNAME
  bindPort: 443
networking:
  serviceSubnet: 10.1.0.0/16
  podSubnet: 10.0.0.0/16
kubernetesVersion: v1.7.5
cloudProvider: gce
apiServerExtraArgs:
  runtime-config: batch/v2alpha1=true
  oidc-client-id: BLAHBLAHBLAH.apps.googleusercontent.com  # beta
  oidc-issuer-url: https://accounts.google.com
  oidc-username-claim: email
controllerManagerExtraArgs:
  configure-cloud-routes: "true"
apiServerCertSANs:
- $CLUSTER_NAME.example.com
token: $CLUSTER_TOKEN
EOF

# --skip-preflight-checks because kubeadm doesn't like docker overlay2 yet
kubeadm init --skip-preflight-checks --config kubeadm.yaml
  • Deployed k8s node like this:
kubeadm join \
    --skip-preflight-checks \
    --token $CLUSTER_TOKEN \
    $MASTER_HOST:443
  • Everything in the cluster comes up fine and healthy.
  • Create a LoadBalancer service like this:
apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress
  namespace: nginx-ingress
spec:
  ports:
    - name: http
      port: 80
    - name: https
      port: 443
  selector:
    app: nginx-ingress
  type: LoadBalancer
  externalTrafficPolicy: Local
  loadBalancerIP: X.Y.Z.W
  • Wait for a bit
  • Load balancer fails to be created. kubectl describe svc shows:
  FirstSeen	LastSeen	Count	From			SubObjectPath	Type		Reason				Message
  ---------	--------	-----	----			-------------	--------	------				-------
  1m		15s		5	service-controller			Normal		CreatingLoadBalancer		Creating load balancer
  1m		15s		5	service-controller			Warning		CreatingLoadBalancerFailed	Error creating load balancer (will retry): Failed to create load balancer for service nginx-ingress/nginx-ingress: User "system:kube-controller-manager" cannot create configmaps in the namespace "kube-system". (post configmaps)

What you expected to happen?

Load balancer gets created successfully.

How to reproduce it (as minimally and precisely as possible)?

See above

Anything else we need to know?

This seems to be caused to missing RBAC roles/bindings. As a workaround, applying the following and recreating the service makes it work:

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
  name: rbac-fix
  namespace: kube-system
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - "*"
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: rbac-fix
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: rbac-fix
subjects:
- kind: User
  name: system:kube-controller-manager
  namespace: kube-system
@shashidharatd
Copy link

I too stumbled upon the exact same issue.
/cc @luxas @pipejakob

@shashidharatd
Copy link

/cc @kubernetes/sig-cluster-lifecycle-bugs

@shashidharatd
Copy link

Here is the log on why servicecontroller is failing to create 'LoadBalancer' type service in kubeadm based cluster

{"log":"E0909 17:54:54.712198       1 servicecontroller.go:753] Failed to process service. Retrying in 2m40s: Failed to create load balancer for service federation-system/e2e-federation-apise
rver: User \"system:kube-controller-manager\" cannot create configmaps in the namespace \"kube-system\". (post configmaps)\n","stream":"stderr","time":"2017-09-09T17:54:54.712261219Z"}
{"log":"E0909 17:57:34.716929       1 servicecontroller.go:753] Failed to process service. Retrying in 5m0s: Failed to create load balancer for service federation-system/e2e-federation-apiser
ver: User \"system:kube-controller-manager\" cannot create configmaps in the namespace \"kube-system\". (post configmaps)\n","stream":"stderr","time":"2017-09-09T17:57:34.717073975Z"}

@luxas
Copy link
Member

luxas commented Sep 9, 2017 via email

@shashidharatd
Copy link

I digged into the code and found that the error is coming from gce cloud-provider. Here is the location https://github.com/kubernetes/kubernetes/blob/release-1.7/pkg/cloudprovider/providers/gce/gce_clusterid.go#L192

@shashidharatd
Copy link

@MrHohn, This issue is related to gce cloud-provider and RBAC role, rolebinding. Do you have any clue?

@luxas
Copy link
Member

luxas commented Sep 10, 2017

I think it's just ok to do a post-apply of these rules if you use GCE. With out-of-tree cloud providers, this will be in the same manifest anyway...

@MrHohn
Copy link
Member

MrHohn commented Sep 11, 2017

Seems we introduced new operations (for configmap) in gce controller but never handled its RBAC...
cc @nicksardo

Link:

{
	// a role to use for bootstrapping the kube-controller-manager so it can create the shared informers
	// service accounts, and secrets that we need to create separate identities for other controllers
	ObjectMeta: metav1.ObjectMeta{Name: "system:kube-controller-manager"},
	Rules: []rbac.PolicyRule{
		eventsRule(),
		rbac.NewRule("create").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
		rbac.NewRule("delete").Groups(legacyGroup).Resources("secrets").RuleOrDie(),
		rbac.NewRule("get").Groups(legacyGroup).Resources("endpoints", "namespaces", "secrets", "serviceaccounts").RuleOrDie(),
		rbac.NewRule("update").Groups(legacyGroup).Resources("endpoints", "secrets", "serviceaccounts").RuleOrDie(),
		// Needed to check API access.  These creates are non-mutating
		rbac.NewRule("create").Groups(authenticationGroup).Resources("tokenreviews").RuleOrDie(),
		// Needed for all shared informers
		rbac.NewRule("list", "watch").Groups("*").Resources("*").RuleOrDie(),
	},
},

@nicksardo
Copy link

@shashidharatd
Copy link

shashidharatd commented Sep 13, 2017

/kind bug
/area cloudprovider
/assign @nicksardo

@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Sep 13, 2017
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Sep 14, 2017
…tion

Automatic merge from submit-queue (batch tested with PRs 52376, 52439, 52382, 52358, 52372)

Pass correct clientbuilder to cloudproviders

Fixes kubernetes/kubeadm#425 by moving the Initialize call to after the start of the token controller and passing `clientBuilder` instead of `rootClientBuilder` to the cloudproviders.

/assign @bowei 

**Release note**:
```release-note
NONE
```

Should fix in 1.8 and cherrypick to 1.7
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Sep 15, 2017
…376-upstream-release-1.7

Automatic merge from submit-queue

Automated cherry pick of #52376

Cherry pick of #52376 on release-1.7.

#52376: Move cloudprovider initialization to after token controller

**Release note**:
```release-note
GCE: Fixes known [issue](kubernetes/kubeadm#425) for creating services with RBAC and bootstrap token auth
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants