New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Istio sidecar injection failing with error - MountVolume.SetUp failed for volume "istiod-ca-cert" : configmap "istio-ca-root-cert" not found #22463
Comments
I'm facing the same issue. I have delete and recreated the namespace still having the same problem. |
@sonujose @mani0070 To reproduce the problem, can you share detailed instructions (e.g., the commands you use) of how you install Istio and how you deploy an example application? Meanwhile, besides the Azure Kubernetes Engine platform mentioned in the issue, do you also notice this problem on other platforms? |
I have the same issue aswell on Azure Kubernetes Engine (v 1.15.7).
Same log in istiod. Created the namespace with these commands, istio does not seems to add the configmap
|
@lei-tang Deployed Istio using the istioctl tool. Istioctl version (1.5.0) and Kubernetes cluster version (v1.15.7)
Also deployed the same Istio1.5 in two different aks clusters, and this issue was observed in only one of the cluster. The whole problem started after istiod logged this warning - Istiod pod restart fixed the issue |
I'm hitting this issue as well... created 2 random namespaces, and none of them has any configmap created. |
I found this one when I pulled the 1.5 release branch on 3/27. I went back to this commit and the ConfigMap was getting created again. |
@GregHanson that PR seems entirely unrelated. a restart of istiod also fixes that, do you think it was just "fixed" by a restart not that PR? |
confirmed restart of istiod has helped populated istio-ca-root-cert cm for my non-default namespaces. |
@howardjohn - I didn't mean this commit was the culprit - just that it must have come in to the release branch sometime after it. I hit the problem on Friday when I pulled, reverted to that commit, deleted and recreated my namespaces, and I wasn't able to reproduce |
Might fix istio#22463, was found during debugging this. istio#21669 made a change that set the stop channel to the global stop channel instead of leader election stop channel, so it doesn't stop when leader is lost. Once that is fixed we need to create new informers, or client-go will crash due to closing the same informer twice
@lei-tang I have installed istio using
run the below command : istio-1.5.1
The name space is labelled with Below is the error message |
Which means the resource of the cluster updates frequently before push all updates to the client side. |
When fails with this, the reflector will re list-watch again. @howardjohn It should not be related to resync period. |
BTW, in recent k8s, a feature called watchBookMark is introduced to mitigate |
The current implementation of the namespace controller is complicated and difficult to reason its correctness. The PR #22613 is created to simplify the implementation and may solve the bugs in this issue. With #22613, the implementation becomes very simple:
|
I have been facing this issue for a while. It was happening very regularly for me before. Moving from 2 to 1 istiod replica seems to have helped quite a bit. A restart of istiod always seems to resolve the issue. |
@rajivml @Mdirfan6 Actually this is fixed in 1.5.6, please see the release announcement |
Thanks for the update @knight42 |
Still facing the same issue in 1.5.6 |
yes we too observed it on 1.5.6 |
I also took action with istiod restart. |
Istio 1.7.2 Any workaround here? |
Same issue in 1.8.0. Looking forward to any workaround here. |
meet same issue in 1.8. |
meet same issue in 1.8.1 |
meet same issue in 1.9.0 |
meet same issue in 1.10.0 |
Same |
Also getting the same issue.. have deleted the namespace, restarted the pods, killed the pods, carried out the rollback - no luck. Also using AWS EKS, thanks. |
same issue following istio-csr getting_started.md |
I am also getting this error using EKS 1.21 with Istio 1.11.5. Everything works fine, but this error is causing concern for the developers on our platform. |
I was also getting the same error using EKS 1.21 with Istio 1.11.5. Turns out that the error was because I was trying to install istio in kube-system namespace. Installing in another namespace fixed the issue for me. I knew that Istio disabled kube-system proxy for sidecar injection but did not expect it to be a problem for running ingress-gateway pods. Interestingly, I did not have issues with EKS 1.20 and Istio 1.9.5 even for kube-system namespace. It still works if you upgrade from 1.9.5 to 1.11.5 but a fresh install does not work. I think the issue may be due to Istio 1.11.5 not creating configmap istio-ca-root-cert in kube-system. |
Same issue for me on a 4-node RasPi-4 cluster with Istio 1.13.2 |
Istio does not yet support ARM which would explain the raspberry pi one
…On Sun, Mar 20, 2022, 11:32 AM Greg ***@***.***> wrote:
Same issue for me on a 4-node RasPi-4 cluster with Istio 1.13.2
—
Reply to this email directly, view it on GitHub
<#22463 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXMH24XEX3LGC3TUIR3VA5VKDANCNFSM4LTK3Z6A>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Still seeing that kube-system does not have configmap istio-ca-root-cert created in istio 1.12.4. @abhinavgpt @howardjohn, are you aware of any related changes associated with it? |
This issue needs to be re-opened. It definitely can still occur in all versions |
This was being caused by insufficient CPU and RAM in my eks cluster. I solved by replacing the |
i seem too |
Bug Description
Istiod is not responding to new namespaces. Created a new namespace and labelled istio-injectio=enabled. I deployed one app to the namespace and the pod is stuck in init stage. Istio proxy is not able to mount configmap "istio-ca-root-cert"
Unable to mount volumes for pod "azure-vote-front-5bc759676c-7hg5t_am-dev(a45f7c3a-d546-4461-af15-c5442ae39de9)": timeout expired waiting for volumes to attach or mount for pod "am-dev"/"azure-vote-front-5bc759676c-7hg5t".
Last log from istiod -
2020-03-25T10:04:33.132573Z warn k8s.io/client-go@v0.17.2/tools/cache/reflector.go:105: watch of *v1.ConfigMap ended with: too old resource version: 2764317 (2764517)
list of unmounted volumes=[istiod-ca-cert]. list of unattached volumes=[default-token-58r9k istio-envoy podinfo istio-token istiod-ca-cert]
Warning FailedMount 3m57s (x33 over 54m) kubelet, aks-linuxpool02-21909056-vmss000000 MountVolume.SetUp failed for volume "istiod-ca-cert" : configmap "istio-ca-root-cert" not found
[ x] Configuration Infrastructure
[ ] Docs
[ ] Installation
[x ] Networking
[ ] Performance and Scalability
[ ] Policies and Telemetry
[ ] Security
[ ] Test and Release
[ ] User Experience
[x ] Developer Infrastructure
New namespace should have configmap "istio-ca-root-cert" and should deploy the app
Steps to reproduce the bug
This happened intermittently. In one of the namespace I was able to attach the proxy and once the problem started, further no namespace is working.
Version (include the output of
istioctl version --remote
andkubectl version
andhelm version
if you used Helm)Istioctl - client version: 1.5.0
kubectl - server: v1.15.7, client: v1.17.0
How was Istio installed?
istioctl
Environment where bug was observed (cloud vendor, OS, etc)
Azure Kubernetes Engine
The text was updated successfully, but these errors were encountered: