Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

watchercache.go spamming log: Failed to create watcher ListRoot="/calico/ipam/v2/assignment/" #4557

Closed
holmesb opened this issue Apr 23, 2021 · 1 comment
Closed

watchercache.go spamming log: Failed to create watcher ListRoot="/calico/ipam/v2/assignment/" #4557

holmesb opened this issue Apr 23, 2021 · 1 comment
Labels
kind/support

Comments

@holmesb
Copy link

holmesb commented Apr 23, 2021
edited

Hi,

We've just upgraded from v3.16.5 to v3.18.1. The calico-kube-controllers pod log is filled (many events per second) with messages from watchercache.go.

2021-04-23 06:58:23.990 [INFO][1] watchercache.go 243: Failed to create watcher ListRoot="/calico/ipam/v2/assignment/" error=connection is unauthorized: unknown (get IPAMBlocks.crd.projectcalico.org) performFullResync=true
2021-04-23 06:58:23.990 [INFO][1] watchercache.go 174: Full resync is required ListRoot="/calico/ipam/v2/assignment/"

Its CPU consumption has also increased significantly.

I've checked that a ClusterRole & ClusterRoleBinding: calico-node both exist. They are the same as on another cluster running v3.16.5 that doesn't exhibit this problem. Also, there are no notable differences in the calico-kube-controllers deployments on the two clusters, other than the image version. Configmap: calico-config is the same.

Steps to Reproduce (for bugs)

Upgrade from Calico v3.16.5 to v3.18.1. Also occurs when doing a clean install of k8s and Calico v3.18.1.

Your Environment

  • Calico version 3.18.1
  • Orchestrator version: k8s 1.19.7
  • Operating System and version: Ubuntu 20.04

Many thanks
@caseydavenport
Copy link
Member

@holmesb did you update the ClusterRole as part of that upgrade?

When upgrading Calico image versions, you also need to update the associated Kubernetes resources, as they are pretty tightly coupled.

v3.18.0 introduced a new requirement for kube-controllers to watch IPAM blocks. If you compare the v3.18 ClusterRole with the v3.16 cluster role, you'll notice this change:

   # IPAM resources are manipulated when nodes are deleted.
    - apiGroups: ["crd.projectcalico.org"]
      resources:
        - ippools
      verbs:
        - list
    - apiGroups: ["crd.projectcalico.org"]
      resources:
        - blockaffinities
        - ipamblocks
        - ipamhandles
      verbs:
        - get
        - list
        - create
        - update
        - delete
+       - watch

In general, don't expect the old manifests to work with newer code (and vice-versa).

I'd recommend looking at using the Calico operator to install Calico, which will make sure the running configuration matches the running code without needing human intervention.

@holmesb holmesb mentioned this issue Apr 29, 2021
Closed
holmesb added a commit to holmesb/kubespray that referenced this issue Apr 29, 2021
@holmesb
Fixes issue kubernetes-sigs#7573 - Made Calico permissions compatible…
8cb67ec 
… with v3.18.x (see projectcalico/calico#4557).  Specifically, granted watch to custom resources blockaffinities, ipamblocks & ipamhandles
@holmesb holmesb mentioned this issue Apr 29, 2021
Merged
k8s-ci-robot pushed a commit to kubernetes-sigs/kubespray that referenced this issue Apr 30, 2021
@holmesb
Fixes issue #7573 - Made Calico permissions compatible with v3.18.x (…
3f4eb9b 
…see projectcalico/calico#4557).  Specifically, granted watch to custom resources blockaffinities, ipamblocks & ipamhandles (#7575)
unai-ttxu pushed a commit to unai-ttxu/kubespray that referenced this issue May 18, 2021
@holmesb @unai-ttxu
Fixes issue kubernetes-sigs#7573 - Made Calico permissions compatible…
57dc352 
… with v3.18.x (see projectcalico/calico#4557).  Specifically, granted watch to custom resources blockaffinities, ipamblocks & ipamhandles (kubernetes-sigs#7575)
unai-ttxu added a commit to Stratio/kubespray that referenced this issue May 18, 2021
@unai-ttxu @cristicalin @holmesb
Support Calico advertisement of MetalLB LoadBalancer IPs (#5)
9dbc7d9 
* Add Calico v3.17.3 and v3.18.1 (kubernetes-sigs#7524)

* add hashes for calico v3.17.3

* add hashes for claico v3.18.1

* bump default calico version to v3.17.3

* calico crds are missing yaml separator breaking kdd

* Calico new versions v3.17.4 and v3.18.2 (kubernetes-sigs#7563)

* calico: upgrade from v3.17.3 to v3.17.4

* calico: upgrade from v3.18.1 to v3.18.2

* Fixes issue kubernetes-sigs#7573 - Made Calico permissions compatible with v3.18.x (see projectcalico/calico#4557).  Specifically, granted watch to custom resources blockaffinities, ipamblocks & ipamhandles (kubernetes-sigs#7575)

* bump calico 3.18 to v3.18.3 (kubernetes-sigs#7592)

* Support Calico advertisement of MetalLB LoadBalancer IPs (kubernetes-sigs#7593)

* add initial MetalLB docs

* metallb allow disabling the deployment of the metallb speaker

* calico>=3.18 allow using calico to advertise service loadbalancer IPs

* Document the use of MetalLB and Calico

* clean MetalLB docs

Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>
Co-authored-by: holmesb <5072156+holmesb@users.noreply.github.com>
LuckySB pushed a commit to southbridgeio/kubespray that referenced this issue Jun 12, 2021
@holmesb @LuckySB
Fixes issue kubernetes-sigs#7573 - Made Calico permissions compatible…
88f044c 
… with v3.18.x (see projectcalico/calico#4557).  Specifically, granted watch to custom resources blockaffinities, ipamblocks & ipamhandles (kubernetes-sigs#7575)
sakuraiyuta pushed a commit to sakuraiyuta/kubespray that referenced this issue Apr 16, 2022
@holmesb @sakuraiyuta
Fixes issue kubernetes-sigs#7573 - Made Calico permissions compatible…
f55bedd 
… with v3.18.x (see projectcalico/calico#4557).  Specifically, granted watch to custom resources blockaffinities, ipamblocks & ipamhandles (kubernetes-sigs#7575)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@caseydavenport @holmesb