Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use https to check healthz in hack/local-up-cluster.sh #49072

Merged

Conversation

Projects
None yet
9 participants
@xilabao
Copy link
Contributor

commented Jul 18, 2017

What this PR does / why we need it:

# PSP_ADMISSION=true ALLOW_PRIVILEGED=true ALLOW_SECURITY_CONTEXT=true ALLOW_ANY_TOKEN=true ENABLE_RBAC=true RUNTIME_CONFIG="extensions/v1beta1=true,extensions/v1beta1/podsecuritypolicy=true" hack/local-up-cluster.sh
...
Waiting for apiserver to come up
+++ [0718 09:34:38] On try 5, apiserver: : �����
Cluster "local-up-cluster" set.
use 'kubectl --kubeconfig=/var/run/kubernetes/admin-kube-aggregator.kubeconfig' to use the aggregated API server
Creating kube-system namespace
clusterrolebinding "system:kube-dns" created
serviceaccount "kube-dns" created
configmap "kube-dns" created
error: unable to recognize "kubedns-deployment.yaml": no matches for extensions/, Kind=Deployment
service "kube-dns" created
Kube-dns deployment and service successfully deployed.
kubelet ( 10952 ) is running.
Create podsecuritypolicy policies for RBAC.
unable to recognize "/home/nfs/mygo/src/k8s.io/kubernetes/examples/podsecuritypolicy/rbac/policies.yaml": no matches for extensions/, Kind=PodSecurityPolicy
unable to recognize "/home/nfs/mygo/src/k8s.io/kubernetes/examples/podsecuritypolicy/rbac/policies.yaml": no matches for extensions/, Kind=PodSecurityPolicy
unable to recognize "/home/nfs/mygo/src/k8s.io/kubernetes/examples/podsecuritypolicy/rbac/roles.yaml": no matches for rbac.authorization.k8s.io/, Kind=ClusterRole
unable to recognize "/home/nfs/mygo/src/k8s.io/kubernetes/examples/podsecuritypolicy/rbac/roles.yaml": no matches for rbac.authorization.k8s.io/, Kind=ClusterRole
unable to recognize "/home/nfs/mygo/src/k8s.io/kubernetes/examples/podsecuritypolicy/rbac/bindings.yaml": no matches for rbac.authorization.k8s.io/, Kind=ClusterRoleBinding
unable to recognize "/home/nfs/mygo/src/k8s.io/kubernetes/examples/podsecuritypolicy/rbac/bindings.yaml": no matches for rbac.authorization.k8s.io/, Kind=ClusterRoleBinding
unable to recognize "/home/nfs/mygo/src/k8s.io/kubernetes/examples/podsecuritypolicy/rbac/bindings.yaml": no matches for rbac.authorization.k8s.io/, Kind=ClusterRoleBinding
Create default storage class for 
error: unable to recognize "/home/nfs/mygo/src/k8s.io/kubernetes/cluster/addons/storage-class/local/default.yaml": no matches for storage.k8s.io/, Kind=StorageClass
Local Kubernetes cluster is running. Press Ctrl-C to shut it down.

Logs:
  /tmp/kube-apiserver.log
  /tmp/kube-controller-manager.log
  /tmp/kube-proxy.log
  /tmp/kube-scheduler.log
  /tmp/kubelet.log
...

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #47739

Special notes for your reviewer:

Release note:

NONE
@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Jul 18, 2017

Hi @xilabao. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@@ -897,6 +918,8 @@ if [[ "${START_MODE}" != "kubeletonly" ]]; then
start_apiserver

This comment has been minimized.

Copy link
@liggitt

liggitt Jul 18, 2017

Member

start_apiserver already waits for healthz... waiting for rbac should not be necessary

This comment has been minimized.

Copy link
@liggitt

liggitt Jul 18, 2017

Member

actually, it looks like kube::util::wait_for_url "http://${API_HOST_IP}:${API_SECURE_PORT}/healthz" should switch to the secure port

This comment has been minimized.

Copy link
@liggitt

liggitt Jul 18, 2017

Member

and that should be done after creating the admin kubeconfig, and should use the admin kubeconfig

This comment has been minimized.

Copy link
@xilabao

xilabao Jul 18, 2017

Author Contributor

Updated. but sorry for that I don't know how to deal with kube::util::wait_for_url "http://${API_HOST_IP}:${API_SECURE_PORT}/healthz" . ${API_SECURE_PORT} is the secure port.

This comment has been minimized.

Copy link
@liggitt

liggitt Jul 18, 2017

Member

sorry, https

@xilabao xilabao force-pushed the xilabao:wait-rbac-in-local-cluster branch from 09f9247 to 570093d Jul 18, 2017

@xilabao xilabao force-pushed the xilabao:wait-rbac-in-local-cluster branch from 570093d to 413ab26 Jul 18, 2017

@xilabao xilabao changed the title wait rbac up in local cluster use https to check healthz in hack/local-up-cluster.sh Jul 18, 2017

@k8s-github-robot k8s-github-robot added size/XS and removed size/S labels Jul 18, 2017

@dims

This comment has been minimized.

Copy link
Member

commented Jul 18, 2017

/ok-to-test

@liggitt

This comment has been minimized.

Copy link
Member

commented Jul 18, 2017

@xilabao did that change resolve your issue?

@spxtr

This comment has been minimized.

Copy link
Member

commented Jul 18, 2017

Looks fine to me but I'll let @liggitt decide.

/assign @liggitt

@xilabao

This comment has been minimized.

Copy link
Contributor Author

commented Jul 19, 2017

@liggitt Yes. it works.

@liggitt

This comment has been minimized.

Copy link
Member

commented Jul 19, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Jul 19, 2017

@spxtr

This comment has been minimized.

Copy link
Member

commented Jul 19, 2017

/approve

@k8s-github-robot

This comment has been minimized.

Copy link
Contributor

commented Jul 19, 2017

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, spxtr, xilabao

Associated issue: 47739

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot

This comment has been minimized.

Copy link
Contributor

commented Jul 19, 2017

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot

This comment has been minimized.

Copy link
Contributor

commented Jul 19, 2017

Automatic merge from submit-queue (batch tested with PRs 49058, 49072, 49137, 49182, 49045)

@k8s-github-robot k8s-github-robot merged commit 92d310e into kubernetes:master Jul 19, 2017

2 of 10 checks passed

Submit Queue Required Github CI test is not green: pull-kubernetes-bazel
Details
pull-kubernetes-bazel Job triggered.
Details
pull-kubernetes-e2e-gce-etcd3 Jenkins job triggered.
Details
pull-kubernetes-e2e-kops-aws Jenkins job triggered.
Details
pull-kubernetes-kubemark-e2e-gce Jenkins job triggered.
Details
pull-kubernetes-node-e2e Jenkins job triggered.
Details
pull-kubernetes-unit Jenkins job triggered.
Details
pull-kubernetes-verify Jenkins job triggered.
Details
cla/linuxfoundation xilabao authorized
Details
pull-kubernetes-federation-e2e-gce Jenkins job succeeded.
Details
@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Jul 19, 2017

@xilabao: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-kubemark-e2e-gce 413ab26 link /test pull-kubernetes-kubemark-e2e-gce

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@RenaudWasTaken

This comment has been minimized.

Copy link
Member

commented Jul 20, 2017

Hi !

This change seems to break local-up-cluster on master (I've cloned master in a new Goenv).
local-up-cluster is now waiting for the API server until it times out:

Waiting for apiserver to come up
!!! [0720 11:47:43] Timed out waiting for apiserver:  to answer at https://127.0.0.1:6443/healthz; tried 20 waiting 1 between each
check apiserver logs: /tmp/kube-apiserver.log

And the logs indicates nothing. My guess is that there is an option to enable for the API server to listen on https. Still investigating :)

@mtanino

This comment has been minimized.

Copy link
Member

commented Jul 20, 2017

@RenaudWasTaken @liggitt
I'm hitting same issue and post a bug report above.

@liggitt

This comment has been minimized.

Copy link
Member

commented Jul 20, 2017

without ENABLE_RBAC=true, /healthz on the TLS port is denied.

@xilabao options are to make this conditional on RBAC, default RBAC on, or something else

@mtanino

This comment has been minimized.

Copy link
Member

commented Jul 20, 2017

@liggitt
Ah, I got the reason. Why we need to use https endpoint?

@liggitt

This comment has been minimized.

Copy link
Member

commented Jul 20, 2017

https is the aggregated API, which is what we want to wait for

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.