Internal error occurred: failed calling webhook "mcloneset.kb.io" kind/bug #535
Comments
|
same problem, is there any progress? |
|
@peacocktrain @alandtsang Please collect the informations below when the error occurs:
|
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
creationTimestamp: "2020-12-15T08:52:42Z"
generation: 3
labels:
app: kruise-mutating-webhook-configuration
wayne.io/app: openkruise
name: kruise-mutating-webhook-configuration
resourceVersion: "1014160"
selfLink: /apis/admissionregistration.k8s.io/v1/mutatingwebhookconfigurations/kruise-mutating-webhook-configuration
uid: ba60b86a-409c-4ea4-bb13-4d4ec3ca184a
webhooks:
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMwakNDQWJxZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFhTVJnd0ZnWURWUVFERXc5M1pXSm8KYjI5ckxXTmxjblF0WTJFd0hoY05NakF4TWpFM01qTXdPRE15V2hjTk16QXhNakUxTWpNd09ETXlXakFhTVJndwpGZ1lEVlFRREV3OTNaV0pvYjI5ckxXTmxjblF0WTJFd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3CmdnRUtBb0lCQVFEQ2xIMmFwVWZqN3J3SGlDVHJ1cit6UjZPbHdQSkRzbE5samYzWmIwL1B5Q2RQSzhEZFlodUIKWU45Zm9pZ1QzWDRYVE42Z3hPcnA2V1hTUHNGRGJ6eVdSTE9GenlLS3gxZ0kwaUVqUkFOWGN2emxXbWVzREZRRQpIdnpVOGk4L1UwQktLWWtMVEY5V0YyU0NYMkVpR2VRMXZONzM0aU9iRmd3bm91VThKZ08yZE02S01xYis5aERkCjV0Y2NWTDdhaEc1cVNVbUJLVFY2ZTVxTGl5aStwT1MwZnpKaUdseWhmZURqMDdCbHZJUng1UldPZjhFeHR1YSsKODVjR0t0OE0zNG9GcW9SWEJZS2ZNVkVqM1ZaSEpvNE53NlNqWHFTTXoxd1VpWXhyRHFXYy9UZlhnSkVjNGZ4UAo3dVBmV1k5NVpwd0VHU2tKSWQrQW9RMkYxUW03SE9IREFnTUJBQUdqSXpBaE1BNEdBMVVkRHdFQi93UUVBd0lDCnBEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQnFFT3BBSHhLaW5sd2cKaHhzcC8xVkZQL3FHY2JZNjFUSTNaRFpyN2ZZQkFUTkd1K0hWOURpMnpCWUpGOW1aNGZIcEZCV2kycnh4bVpHTAp2YnBZZXFtcHhBdTBNVE83cXcwMTV3N2lhOWlvUkhHdTJiVy96cHlrSksvbjVMYkJYbWZ1TVVYeXlXR09zanJRCkNYNEpCUG0vN25nckR0cEwvbWJRbkF3QTU0OW9mbVFYWFVRREtEbHl3R0R5ajlxQnlJWEVISk9tdHlWbWNIVjYKTERwTHdEUFdsZ2JSOGtSQ2lxclcxVXBwanh4RlA0MkQ3anVKQkxUUlBPQndFQmI5RFZCcFljOXVuRHR0REhYSAp6ektYSUxIdkd3REUwaWlsbk8vcjVHYlFYdjlmd09LaXBjWHlOVVlGQXdwRkxLSTQ1TDN0RkFnbys3bjBpUGR6ClJJWFJUdW1oCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
service:
name: kruise-webhook-service
namespace: kube-system
path: /mutate-apps-kruise-io-v1alpha1-sidecarset
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: msidecarset.kb.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- apps.kruise.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- sidecarsets
scope: '*'
sideEffects: Unknown
timeoutSeconds: 30
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMwakNDQWJxZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFhTVJnd0ZnWURWUVFERXc5M1pXSm8KYjI5ckxXTmxjblF0WTJFd0hoY05NakF4TWpFM01qTXdPRE15V2hjTk16QXhNakUxTWpNd09ETXlXakFhTVJndwpGZ1lEVlFRREV3OTNaV0pvYjI5ckxXTmxjblF0WTJFd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3CmdnRUtBb0lCQVFEQ2xIMmFwVWZqN3J3SGlDVHJ1cit6UjZPbHdQSkRzbE5samYzWmIwL1B5Q2RQSzhEZFlodUIKWU45Zm9pZ1QzWDRYVE42Z3hPcnA2V1hTUHNGRGJ6eVdSTE9GenlLS3gxZ0kwaUVqUkFOWGN2emxXbWVzREZRRQpIdnpVOGk4L1UwQktLWWtMVEY5V0YyU0NYMkVpR2VRMXZONzM0aU9iRmd3bm91VThKZ08yZE02S01xYis5aERkCjV0Y2NWTDdhaEc1cVNVbUJLVFY2ZTVxTGl5aStwT1MwZnpKaUdseWhmZURqMDdCbHZJUng1UldPZjhFeHR1YSsKODVjR0t0OE0zNG9GcW9SWEJZS2ZNVkVqM1ZaSEpvNE53NlNqWHFTTXoxd1VpWXhyRHFXYy9UZlhnSkVjNGZ4UAo3dVBmV1k5NVpwd0VHU2tKSWQrQW9RMkYxUW03SE9IREFnTUJBQUdqSXpBaE1BNEdBMVVkRHdFQi93UUVBd0lDCnBEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQnFFT3BBSHhLaW5sd2cKaHhzcC8xVkZQL3FHY2JZNjFUSTNaRFpyN2ZZQkFUTkd1K0hWOURpMnpCWUpGOW1aNGZIcEZCV2kycnh4bVpHTAp2YnBZZXFtcHhBdTBNVE83cXcwMTV3N2lhOWlvUkhHdTJiVy96cHlrSksvbjVMYkJYbWZ1TVVYeXlXR09zanJRCkNYNEpCUG0vN25nckR0cEwvbWJRbkF3QTU0OW9mbVFYWFVRREtEbHl3R0R5ajlxQnlJWEVISk9tdHlWbWNIVjYKTERwTHdEUFdsZ2JSOGtSQ2lxclcxVXBwanh4RlA0MkQ3anVKQkxUUlBPQndFQmI5RFZCcFljOXVuRHR0REhYSAp6ektYSUxIdkd3REUwaWlsbk8vcjVHYlFYdjlmd09LaXBjWHlOVVlGQXdwRkxLSTQ1TDN0RkFnbys3bjBpUGR6ClJJWFJUdW1oCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
service:
name: kruise-webhook-service
namespace: kube-system
path: /mutate-pod
port: 443
failurePolicy: Ignore
matchPolicy: Exact
name: mpod.kb.io
namespaceSelector:
matchExpressions:
- key: control-plane
operator: DoesNotExist
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
scope: '*'
sideEffects: Unknown
timeoutSeconds: 30
- admissionReviewVersions:
- v1beta1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMwakNDQWJxZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFhTVJnd0ZnWURWUVFERXc5M1pXSm8KYjI5ckxXTmxjblF0WTJFd0hoY05NakF4TWpFM01qTXdPRE15V2hjTk16QXhNakUxTWpNd09ETXlXakFhTVJndwpGZ1lEVlFRREV3OTNaV0pvYjI5ckxXTmxjblF0WTJFd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3CmdnRUtBb0lCQVFEQ2xIMmFwVWZqN3J3SGlDVHJ1cit6UjZPbHdQSkRzbE5samYzWmIwL1B5Q2RQSzhEZFlodUIKWU45Zm9pZ1QzWDRYVE42Z3hPcnA2V1hTUHNGRGJ6eVdSTE9GenlLS3gxZ0kwaUVqUkFOWGN2emxXbWVzREZRRQpIdnpVOGk4L1UwQktLWWtMVEY5V0YyU0NYMkVpR2VRMXZONzM0aU9iRmd3bm91VThKZ08yZE02S01xYis5aERkCjV0Y2NWTDdhaEc1cVNVbUJLVFY2ZTVxTGl5aStwT1MwZnpKaUdseWhmZURqMDdCbHZJUng1UldPZjhFeHR1YSsKODVjR0t0OE0zNG9GcW9SWEJZS2ZNVkVqM1ZaSEpvNE53NlNqWHFTTXoxd1VpWXhyRHFXYy9UZlhnSkVjNGZ4UAo3dVBmV1k5NVpwd0VHU2tKSWQrQW9RMkYxUW03SE9IREFnTUJBQUdqSXpBaE1BNEdBMVVkRHdFQi93UUVBd0lDCnBEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQnFFT3BBSHhLaW5sd2cKaHhzcC8xVkZQL3FHY2JZNjFUSTNaRFpyN2ZZQkFUTkd1K0hWOURpMnpCWUpGOW1aNGZIcEZCV2kycnh4bVpHTAp2YnBZZXFtcHhBdTBNVE83cXcwMTV3N2lhOWlvUkhHdTJiVy96cHlrSksvbjVMYkJYbWZ1TVVYeXlXR09zanJRCkNYNEpCUG0vN25nckR0cEwvbWJRbkF3QTU0OW9mbVFYWFVRREtEbHl3R0R5ajlxQnlJWEVISk9tdHlWbWNIVjYKTERwTHdEUFdsZ2JSOGtSQ2lxclcxVXBwanh4RlA0MkQ3anVKQkxUUlBPQndFQmI5RFZCcFljOXVuRHR0REhYSAp6ektYSUxIdkd3REUwaWlsbk8vcjVHYlFYdjlmd09LaXBjWHlOVVlGQXdwRkxLSTQ1TDN0RkFnbys3bjBpUGR6ClJJWFJUdW1oCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
service:
name: kruise-webhook-service
namespace: kube-system
path: /mutate-apps-kruise-io-v1alpha1-broadcastjob
port: 443
failurePolicy: Fail
matchPolicy: Exact
name: mbroadcastjob.kb.io
namespaceSelector: {}
objectSelector: {}
reinvocationPolicy: Never
rules:
- apiGroups:
- apps.kruise.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- broadcastjobs
scope: '*'
sideEffects: Unknown
timeoutSeconds: 30
- admissionReviewVeapiVersion: v1
data:
ca-cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMwakNDQWJxZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFhTVJnd0ZnWURWUVFERXc5M1pXSm8KYjI5ckxXTmxjblF0WTJFd0hoY05NakF4TWpFM01qTXdPRE15V2hjTk16QXhNakUxTWpNd09ETXlXakFhTVJndwpGZ1lEVlFRREV3OTNaV0pvYjI5ckxXTmxjblF0WTJFd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3CmdnRUtBb0lCQVFEQ2xIMmFwVWZqN3J3SGlDVHJ1cit6UjZPbHdQSkRzbE5samYzWmIwL1B5Q2RQSzhEZFlodUIKWU45Zm9pZ1QzWDRYVE42Z3hPcnA2V1hTUHNGRGJ6eVdSTE9GenlLS3gxZ0kwaUVqUkFOWGN2emxXbWVzREZRRQpIdnpVOGk4L1UwQktLWWtMVEY5V0YyU0NYMkVpR2VRMXZONzM0aU9iRmd3bm91VThKZ08yZE02S01xYis5aERkCjV0Y2NWTDdhaEc1cVNVbUJLVFY2ZTVxTGl5aStwT1MwZnpKaUdseWhmZURqMDdCbHZJUng1UldPZjhFeHR1YSsKODVjR0t0OE0zNG9GcW9SWEJZS2ZNVkVqM1ZaSEpvNE53NlNqWHFTTXoxd1VpWXhyRHFXYy9UZlhnSkVjNGZ4UAo3dVBmV1k5NVpwd0VHU2tKSWQrQW9RMkYxUW03SE9IREFnTUJBQUdqSXpBaE1BNEdBMVVkRHdFQi93UUVBd0lDCnBEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQnFFT3BBSHhLaW5sd2cKaHhzcC8xVkZQL3FHY2JZNjFUSTNaRFpyN2ZZQkFUTkd1K0hWOURpMnpCWUpGOW1aNGZIcEZCV2kycnh4bVpHTAp2YnBZZXFtcHhBdTBNVE83cXcwMTV3N2lhOWlvUkhHdTJiVy96cHlrSksvbjVMYkJYbWZ1TVVYeXlXR09zanJRCkNYNEpCUG0vN25nckR0cEwvbWJRbkF3QTU0OW9mbVFYWFVRREtEbHl3R0R5ajlxQnlJWEVISk9tdHlWbWNIVjYKTERwTHdEUFdsZ2JSOGtSQ2lxclcxVXBwanh4RlA0MkQ3anVKQkxUUlBPQndFQmI5RFZCcFljOXVuRHR0REhYSAp6ektYSUxIdkd3REUwaWlsbk8vcjVHYlFYdjlmd09LaXBjWHlOVVlGQXdwRkxLSTQ1TDN0RkFnbys3bjBpUGR6ClJJWFJUdW1oCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
cert.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURNakNDQWhxZ0F3SUJBZ0lJV21rUjZSL1p5L013RFFZSktvWklodmNOQVFFTEJRQXdHakVZTUJZR0ExVUUKQXhNUGQyVmlhRzl2YXkxalpYSjBMV05oTUI0WERUSXdNVEl4TnpJek1EZ3pNbG9YRFRNd01USXhOVEl6TURnegpORm93TVRFdk1DMEdBMVVFQXhNbWEzSjFhWE5sTFhkbFltaHZiMnN0YzJWeWRtbGpaUzVyZFdKbExYTjVjM1JsCmJTNXpkbU13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRQzRBSVZ6NFd2UUNDWU0KblJvK1o5RVJtOTVhRXFqZjUxWFF1Mzc1REQxQVRCWjJqODIvQlM0SnFNVkp1V090OVNJeFFNOVpvTjhFWGNaUAp4a3B3ZFN5S2FaMUp4UkxaWUtjWXRLTngwU3MrQ2xoQ2hPVzR0WXYwcjZKQ3Bwa1ZUeituVm5odndJWHIyZVE2CmpldG9rUHoxbjJBc2E0LytRc2JHWG9ESTRObGxVOW1ZTlN3eXczYW1LeTF1YThUYTBHOUtpaWovNUdNQi9ybk0KTFIveGZOYmhqMjk3dUs0dlV4WEFIYlVVOUorNzVEaEZ5d25LT1Ftb1g4OFBOM2ltVzk3ZXAwV2t3dlQ3SVFIRApuUXlMZ2NFRXRDUnMwWjlnL1dDZWxtWndUTXFDcnpTRnRKR01qUXlDRC9zcy9oQklVNjN0clhqMyt2bCsxaG5lClR1UVYrZVBqQWdNQkFBR2paVEJqTUE0R0ExVWREd0VCL3dRRUF3SUZvREFUQmdOVkhTVUVEREFLQmdnckJnRUYKQlFjREFUQThCZ05WSFJFRU5UQXpnZ2xzYjJOaGJHaHZjM1NDSm10eWRXbHpaUzEzWldKb2IyOXJMWE5sY25acApZMlV1YTNWaVpTMXplWE4wWlcwdWMzWmpNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUFob1NBaUVtTG1hMFk4CjEwK29pMllZT1lHazZveWdzY3VpSVhlTjBsdi9QMlpnMmpTQmVDMXUxVFJEMXlBZ0xjMGgzVnp6MjJhc255aUgKd1NVaVdXRmN4T1ZOelFIRmZzekFzYzV1R0tQSVhaQlBJWTM3bHFNUmdpRlZPTzF6QWcwOVJUZEc3N0lsMGFueQpKdlZINGVaQ1QzZWNMdmxORGtGSWo4R2JhcDBxQmp0aG16dTJqbE5rcndVbUsweFg5TFJ1VDhDZFZhZ0xKZVpwCm8yTWt4eEE3YWQyRXBpL3hHWlRUWDNDYkhXZCtZUDVzOW5GZjhOaWtYbFRMbXlBejV1T1U0UGtyVGdUNmZVeUcKRmg3bzRqbjZoM3grdVM3QmFUU1p4eGJhSDNxYmhhNW4zTHZnTWt5R1M1Mm54M3NpWkQ2eVVFViszR0ZoZzVtWQpjMHkyUyt3TwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
kind: Secret
metadata:
creationTimestamp: "2020-12-15T08:52:42Z"
name: kruise-webhook-certs
namespace: kube-system
resourceVersion: "1014156"
selfLink: /api/v1/namespaces/kube-system/secrets/kruise-webhook-certs
uid: 4417d957-d746-4b61-9b24-2c2c0e4c700b
type: Opaque |
|
@alandtsang Are you sure that the |
The Do you need |
|
@alandtsang I find these labels in Is there any components in your cluster will modify the kruise configurations? |
OpenKruise is installed through apply yaml, and there is no component to modify the configuration of OpenKruise. |
I installed Kruise by Helm install without any modification. I suspect it is caused by the dynamic CA and accidental problem of apiserver, so could kruise open a static CA file feature for use? |
|
The problem came up again last night and It's the third time this month. |
|
Hi @peacocktrain @alandtsang , Kruise v0.8.0 has released https://github.com/openkruise/kruise/releases/tag/v0.8.0 , and it has optimized the secret generation and synchronization. Would you please upgrade to the latest version and check if the problem still exists? If so, I will make static CA as an option in v0.8.1 to solve this. Install/upgrade doc: https://openkruise.io/en-us/docs/installation.html Thanks. |
OK,I will upgrade to 0.8, but static CA may be available。“Sync Webhook certs“ in logs are too frequent |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
Internal error occurred: failed calling webhook \"mcloneset.kb.io\": Post https://kruise-webhook-service.kruise-system.svc:443/mutate-apps-kruise-io-v1alpha1-cloneset?timeout=30s: x509: certificate signed by unknown authority (possibly because of \"crypto/rsa: verification error\" while trying to verify candidate authority certificate \"webhook-cert-ca\"
这个错误会持续十几分钟然后自动消失。
How to reconstruct:
运行一段时间之后偶现,可能跟apiserver超时或者换主有关
How to reproduce it (as minimally and precisely as possible):
重启 kruise master
Environment:
kubectl version): 1.18cat /etc/os-release): CentOS7uname -a): 4.19The text was updated successfully, but these errors were encountered: