cert-manager-webhook-dnsimple throws errors on GKE running Kubernetes 1.17.15-gke.800 #8
Comments
|
Hey, I just saw this error in our clusters an google'd it and then ended here in the ticket of my own project 😅 - this totally got lost in my inbox. Sorry! I think a downgrade is the most viable solution, but I will check what the other webhooks are doing and will report back. |
|
Looking around I noticed that one can add in the rbac yaml file to the ClusterRole But it seems to still not solve the problem. I get the same issue ebrianne/cert-manager-webhook-duckdns#2 |
|
@ebrianne Which Kubernetes version are you seeing this with? |
|
@arnediekmann Any news? |
|
Just to be clear: FlowSchema and PriorityLevelConfiguration were in Alpha in Kubernetes v1.19 (https://v1-19.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#flowschema-v1alpha1-flowcontrol-apiserver-k8s-io and https://v1-18.docs.kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#prioritylevelconfiguration-v1alpha1-flowcontrol-apiserver-k8s-io). They don't enter Beta until v1.20. So any client library that tries to list those resources in the Beta namespace will fail on a pre-1.20 cluster. |
|
@parmus I am using a k3s cluster v1.20.4 and thought I could solve the problem finally. Last time I downgraded to 1.19 for the client which solved the problem as indeed the feature was in alpha at that time. It seems at the moment a viable solution. |
|
Whoops, this got auto-closed by my commit. I just release version |
|
@parmus somewhat off-topic but the release also encompasses your PRs. Thanks again for those contributions! |
|
I found this issue when I was searching solution for the same problem, I solved it by adding new clusterRole/Binding to the webhook service account (not the cert-manager service account ) ...like this: apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "cert-manager-webhook-hetzner.name" . }}
chart: {{ include "cert-manager-webhook-hetzner.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- "flowcontrol.apiserver.k8s.io"
resources:
- 'prioritylevelconfigurations'
- 'flowschemas'
verbs:
- 'list'
- 'watch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:flowcontrol-solver
labels:
app: {{ include "cert-manager-webhook-hetzner.name" . }}
chart: {{ include "cert-manager-webhook-hetzner.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "cert-manager-webhook-hetzner.fullname" . }}:flowcontrol-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "cert-manager-webhook-hetzner.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
--- |
issue discussed here: puzzle/cert-manager-webhook-dnsimple#8 (comment)
Deploying cert-manager-webhook-dnsimple on GKE cluster running Kubernetes 1.17.15-gke.800 result in the follow errors:
The problem seems to be a mismatch between the v0.20.0 client libraries and Kubernetes 1.17. Downgrading to the v0.19.0 client libraries solves the problem. Kubernetes 1.17.15-gke.800 is the latest stable release on GKE, so upgrading the cluster is not an option for users running production environments on stable.
cert-manager-webhook-dnsimple seems to work despite these errors, but on the other hand, there is nothing in cert-manager-webhook-dnsimple that needs the newer client libraries.
The text was updated successfully, but these errors were encountered: