Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Latest karpenter upgrade causes crash due to list/watch configmap forbidden #365

Closed
1 task done
benjefferies opened this issue Mar 8, 2024 · 1 comment
Closed
1 task done

Latest karpenter upgrade causes crash due to list/watch configmap forbidden #365

benjefferies opened this issue Mar 8, 2024 · 1 comment
Labels
bug Something isn't working upstream Dependency on an upstream related issue

Comments

@benjefferies
Copy link

benjefferies commented Mar 8, 2024
edited
Loading

Description

There are versioning issues with the latest versions of karpenter. This causes issues with the service account. See this issue for more details

E0308 10:50:37.563419       1 reflector.go:140] k8s.io/client-go@v0.26.6/tools/cache/reflector.go:169: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:karpenter:karpenter" cannot list resource "configmaps" in API group "" in the namespace "karpenter"
W0308 10:51:15.861739       1 reflector.go:424] k8s.io/client-go@v0.26.6/tools/cache/reflector.go:169: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:karpenter:karpenter" cannot list resource "configmaps" in API group "" in the namespace "karpenter"
E0308 10:51:15.861856       1 reflector.go:140] k8s.io/client-go@v0.26.6/tools/cache/reflector.go:169: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:karpenter:karpenter" cannot list resource "configmaps" in API group "" in the namespace "karpenter"
W0308 10:51:16.886333       1 reflector.go:424] k8s.io/client-go@v0.26.6/tools/cache/reflector.go:169: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:karpenter:karpenter" cannot list resource "configmaps" in API group "" in the namespace "karpenter"
E0308 10:51:16.886371       1 reflector.go:140] k8s.io/client-go@v0.26.6/tools/cache/reflector.go:169: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:karpenter:karpenter" cannot list resource "configmaps" in API group "" in the namespace "karpenter"
W0308 10:51:18.990191       1 reflector.go:424] k8s.io/client-go@v0.26.6/tools/cache/reflector.go:169: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:karpenter:karpenter" cannot list resource "configmaps" in API group "" in the namespace "karpenter"
E0308 10:51:18.990235       1 reflector.go:140] k8s.io/client-go@v0.26.6/tools/cache/reflector.go:169: Failed to watch *v1.ConfigMap: failed to list *v1.ConfigMap: configmaps is forbidden: User "system:serviceaccount:karpenter:karpenter" cannot list resource "configmaps" in API group "" in the namespace "karpenter"
  • ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

  1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
  2. Re-initialize the project root to pull down modules: terraform init
  3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

  • Provider version(s):
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.47"
    }
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = ">= 2.20"
    }
    helm = {
      source  = "hashicorp/helm"
      version = ">= 2.9"
    }
    bcrypt = {
      source  = "viktorradnai/bcrypt"
      version = ">= 0.1.2"
    }
    random = {
      source  = "hashicorp/random"
      version = ">= 3.1"
    }
  }

Reproduction Code [Required]

Steps to reproduce the behavior:

Deploy karpenter pointing to latest helm chart

Expected behaviour

Karpenter runs ok

Actual behaviour

Karpenter crashes with service account permission issues

Terminal Output Screenshot(s)

Additional context
benjefferies added a commit to benjefferies/terraform-aws-eks-blueprints-addons that referenced this issue Mar 8, 2024
@benjefferies
fix(karpenter): Pin to previous working chart version
4d59ba6 
If already installed the upgrade, you may get an issue.

```
failed to get API group resources: unable to retrieve the complete list of server APIs: karpenter.sh/v1beta1: the server could not find the requested resource
```

To fix uninstall karpenter and reapply terraform
```bash
helm uninstall karpenter -n karpenter
```

Fixes aws-ia#365
@benjefferies benjefferies mentioned this issue Mar 8, 2024
Closed
3 tasks
@askulkarni2 askulkarni2 added bug Something isn't working upstream Dependency on an upstream related issue labels Mar 11, 2024
@bryantbiggs
Copy link
Contributor

ref #366 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working upstream Dependency on an upstream related issue
Projects
None yet
Milestone
No milestone
3 participants
@askulkarni2 @bryantbiggs @benjefferies