New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issues reaching metrics-api pod from web pod when accessing the dashboard #7339
Comments
Server Manifest
Server Authorization Manifest
On deleting the Server Manifest, dashboard is happy |
Do we have any idea why the client (web?) is not initializing mTLS? Is the destination controller not returning an identity for the pod? I'd try turning up proxy logs on the client pod. |
The client does get an identity. PFA debug logs for the linkerd-proxy for the client (web) |
I ran into the same issue with stable-2.11.1 and deleting the metrics-api Server resource as suggested by @pankajmt resolved the issue. EDIT: I actually had to delete all Server resources in |
Same issue, stable 2.11.1 , helm chart deployment using default namespaces. |
Same issue. another walkaround:
|
We were experiencing the same issue and updated to |
Great thanks for the update on this! If this isn't something that is fixed by |
Bug Report
What is the issue?
When accessing the dashboard, see issues connecting to the metrics-api
How can it be reproduced?
2.11.1 install in standard namespace. Not we run a patched version of proxy-init and controller images to be able to run workload pods with a psp which is not run as root, but that should not affect this finding.
Logs, error output, etc
(If the output is long, please create a gist and
paste the link here.)
web pod logs have
time="2021-11-23T02:27:12Z" level=error msg="HTTP error, status Code [403] (unexpected API response)"
metrics api logs show
[ 32346.561203s] INFO ThreadId(01) inbound:server{port=8085}:rescue{client.addr=10.213.65.7:44320}: linkerd_app_core::errors::respond: Request failed error=unauthorized connection on server metrics-api
kubectl get pods -o wide
linkerd check
outputEnvironment
kubectl version Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.2", GitCommit:"8b5a19147530eaac9476b0ab82980b4088bbc1b2", GitTreeState:"clean", BuildDate:"2021-09-15T21:31:32Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"darwin/amd64"} Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.5-gke.1302", GitCommit:"639f3a74abf258418493e9b75f2f98a08da29733", GitTreeState:"clean", BuildDate:"2021-10-21T21:35:48Z", GoVersion:"go1.16.7b7", Compiler:"gc", Platform:"linux/amd64"}
GKE
Container OS
2.11.1 patched
Possible solution
Additional context
On running a locally built instance of linkerd proxy,
See following in logs which seems to suggest identity matches never happen because of the if statement?
The text was updated successfully, but these errors were encountered: