Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RKE2 with Cilium and Hetzner CNI - Can't access container logs via. Rancher UI #5163

Closed
NILAXY opened this issue Dec 26, 2023 · 21 comments
Closed

RKE2 with Cilium and Hetzner CNI - Can't access container logs via. Rancher UI #5163

NILAXY opened this issue Dec 26, 2023 · 21 comments

Comments

@NILAXY
Copy link

NILAXY commented Dec 26, 2023
edited
Loading

Environmental Info:
RKE2 Version:
v1.27.8+rke2r1

Rancher Version:
v2.8.0

Node(s) CPU architecture, OS, and Version:
ARM, Debian 12

Cluster Configuration:
2 worker and 1 master

Describe the bug:
Can't view logs of pods over UI

socket.js:106 WebSocket connection to 'wss://****.com/k8s/clusters/c-m-tfdwn25h/api/v1/namespaces/kube-system/pods/rke2-ingress-nginx-controller-dzsgb/log?previous=false&follow=true&timestamps=true&pretty=true&container=rke2-ingress-nginx-controller&sockId=8' failed

Response:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {
    
  },
  "status": "Failure",
  "message": "Get \"https://10.0.0.5:10250/containerLogs/kube-system/rke2-ingress-nginx-controller-dzsgb/rke2-ingress-nginx-controller?follow=true&timestamps=true\": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, 49.12.216.49, not 10.0.0.5",
  "code": 500
}

Steps To Reproduce:
Create new RKE2 Cluster in Rancher UI with Cilium, External Cloud Provider for Hetzner Cloud: https://github.com/hetznercloud/hcloud-cloud-controller-manager, run any container image in a pod or deployment and try to view the container logs via. the UI
@manuelbuil
Copy link
Contributor

49.12.216.49 is the externalIP of the node and 10.0.0.5 is the internalIP?

@NILAXY
Copy link
Author

NILAXY commented Jan 2, 2024

49.12.216.49 is the externalIP of the node and 10.0.0.5 is the internalIP?

Yes

@manuelbuil
Copy link
Contributor

rke2-agent requests a certificate for kubelet and in that process, it passes the external and the internalIP. Then it receives a certificate which is used by Kubelet. It seems that in your case, the InternalIP was not passed at all.

Could you check in the 10.0.0.5 node what is the output of sudo openssl x509 -text -noout -in /var/lib/rancher/rke2/agent/serving-kubelet.crt?

Could you get me the output of kubectl get nodes $NODE -o yaml where $NODE is the one with IP: 10.0.0.5?

@brandond
Copy link
Member

brandond commented Jan 2, 2024
edited
Loading

I've seen this issue in the past, where the hetzner cloud provider sets node IPs that the kubelet was not aware of, so that the kubelet cert's IPs don't match the node IPs. As @manuelbuil noted, you need to tell k3s what IPs to use so that the cert has the correct attributes.

@NILAXY
Copy link
Author

NILAXY commented Jan 3, 2024
edited
Loading

rke2-agent requests a certificate for kubelet and in that process, it passes the external and the internalIP. Then it receives a certificate which is used by Kubelet. It seems that in your case, the InternalIP was not passed at all.

Could you check in the 10.0.0.5 node what is the output of sudo openssl x509 -text -noout -in /var/lib/rancher/rke2/agent/serving-kubelet.crt?

Could you get me the output of kubectl get nodes $NODE -o yaml where $NODE is the one with IP: 10.0.0.5?

root@ec1-fsn1-cax-21-worker-51522148-4d5fl:/# sudo openssl x509 -text -noout -in /var/lib/rancher/rke2/agent/serving-kubelet.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7061956830414252938 (0x62011c5247fc2b8a)
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = rke2-server-ca@1703608475
        Validity
            Not Before: Dec 26 16:34:35 2023 GMT
            Not After : Dec 26 16:48:01 2024 GMT
        Subject: CN = ec1-fsn1-cax-21-worker-51522148-4d5fl
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:98:24:27:16:6b:c7:5f:14:ef:1e:72:9a:09:7d:
                    c1:f3:30:fd:9a:d0:42:35:69:42:6d:0f:16:c9:6a:
                    28:58:08:7a:d3:ae:65:ac:68:a5:e1:cf:e1:21:00:
                    43:91:6f:b6:dc:13:31:c8:84:d3:ac:0e:56:40:ad:
                    e6:fd:a7:47:bf
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Authority Key Identifier: 
                A9:56:04:5F:BD:41:0D:37:04:2D:F4:A8:F8:ED:D1:E1:95:84:AA:72
            X509v3 Subject Alternative Name: 
                DNS:ec1-fsn1-cax-21-worker-51522148-4d5fl, DNS:localhost, IP Address:127.0.0.1, IP Address:49.12.216.49
    Signature Algorithm: ecdsa-with-SHA256
    Signature Value:
        30:45:02:20:51:7c:43:0f:9d:e2:e8:87:f5:87:13:98:1f:d4:
        a7:8e:8b:77:21:a1:ec:cd:43:d3:65:e2:aa:d2:f5:0f:7c:d8:
        02:21:00:d1:8e:e1:ac:47:31:6d:3a:70:81:b8:82:5c:b2:8c:
        aa:fe:d4:70:c2:0b:d5:46:f0:5a:6b:70:09:a7:da:2c:89

root@ec1-fsn1-cax-21-worker-51522148-4d5fl:/# kubectl get nodes $NODE -o yaml
apiVersion: v1
items:
- apiVersion: v1
  kind: Node
  metadata:
    annotations:
      alpha.kubernetes.io/provided-node-ip: 49.12.216.49
      cluster.x-k8s.io/cluster-name: ec1
      cluster.x-k8s.io/cluster-namespace: fleet-default
      cluster.x-k8s.io/labels-from-machine: ""
      cluster.x-k8s.io/machine: ec1-fsn1-cax-21-worker-7f95b5df77x89hln-967hj
      cluster.x-k8s.io/owner-kind: MachineSet
      cluster.x-k8s.io/owner-name: ec1-fsn1-cax-21-worker-7f95b5df77x89hln
      management.cattle.io/pod-limits: '{"cpu":"3","memory":"4492Mi"}'
      management.cattle.io/pod-requests: '{"cpu":"2125m","memory":"1662Mi","pods":"26"}'
      node.alpha.kubernetes.io/ttl: "0"
      rke2.io/node-args: '["agent","--cloud-provider-name","external","--node-label","rke.cattle.io/machine=7db06a09-658d-481f-bbf6-14821de238c0","--private-registry","/etc/rancher/rke2/registries.yaml","--protect-kernel-defaults","false","--server","https://10.0.0.2:9345","--token","********"]'
      rke2.io/node-config-hash: XSBPG3TS7ZDSKTAKPTF23NAEBKTUZI777OM2HN72XQ5YX752DVNA====
      rke2.io/node-env: '{}'
      volumes.kubernetes.io/controller-managed-attach-detach: "true"
    creationTimestamp: "2023-12-26T17:38:12Z"
    finalizers:
    - wrangler.cattle.io/node
    - wrangler.cattle.io/managed-etcd-controller
    labels:
      beta.kubernetes.io/arch: arm64
      beta.kubernetes.io/instance-type: cax21
      beta.kubernetes.io/os: linux
      failure-domain.beta.kubernetes.io/region: fsn1
      failure-domain.beta.kubernetes.io/zone: fsn1-dc14
      kubernetes.io/arch: arm64
      kubernetes.io/hostname: ec1-fsn1-cax-21-worker-51522148-4d5fl
      kubernetes.io/os: linux
      node-role.kubernetes.io/worker: "true"
      node.kubernetes.io/instance-type: cax21
      plan.upgrade.cattle.io/system-agent-upgrader: d3afd4eb884edc7a77db901446479abc45b155929a9d0ef1cb138405
      rke.cattle.io/machine: 7db06a09-658d-481f-bbf6-14821de238c0
      topology.kubernetes.io/region: fsn1
      topology.kubernetes.io/zone: fsn1-dc14
    name: ec1-fsn1-cax-21-worker-51522148-4d5fl
    resourceVersion: "4226330"
    uid: 4ad5b9a9-3364-4d6f-be5c-910c08312ef2
  spec:
    podCIDR: 10.42.2.0/24
    podCIDRs:
    - 10.42.2.0/24
    providerID: hcloud://41041718
  status:
    addresses:
    - address: 49.12.216.49
      type: ExternalIP
    - address: ec1-fsn1-cax-21-worker-51522148-4d5fl
      type: Hostname
    - address: 10.0.0.5
      type: InternalIP
    allocatable:
      cpu: "4"
      ephemeral-storage: "76305544747"
      hugepages-1Gi: "0"
      hugepages-2Mi: "0"
      hugepages-32Mi: "0"
      hugepages-64Ki: "0"
      memory: 7934516Ki
      pods: "110"
    capacity:
      cpu: "4"
      ephemeral-storage: 78439088Ki
      hugepages-1Gi: "0"
      hugepages-2Mi: "0"
      hugepages-32Mi: "0"
      hugepages-64Ki: "0"
      memory: 7934516Ki
      pods: "110"
    conditions:
    - lastHeartbeatTime: "2023-12-26T17:38:39Z"
      lastTransitionTime: "2023-12-26T17:38:39Z"
      message: Cilium is running on this node
      reason: CiliumIsUp
      status: "False"
      type: NetworkUnavailable
    - lastHeartbeatTime: "2024-01-03T13:04:43Z"
      lastTransitionTime: "2023-12-26T17:46:47Z"
      message: kubelet has sufficient memory available
      reason: KubeletHasSufficientMemory
      status: "False"
      type: MemoryPressure
    - lastHeartbeatTime: "2024-01-03T13:04:43Z"
      lastTransitionTime: "2023-12-26T17:46:47Z"
      message: kubelet has no disk pressure
      reason: KubeletHasNoDiskPressure
      status: "False"
      type: DiskPressure
    - lastHeartbeatTime: "2024-01-03T13:04:43Z"
      lastTransitionTime: "2023-12-26T17:46:47Z"
      message: kubelet has sufficient PID available
      reason: KubeletHasSufficientPID
      status: "False"
      type: PIDPressure
    - lastHeartbeatTime: "2024-01-03T13:04:43Z"
      lastTransitionTime: "2023-12-27T16:48:15Z"
      message: kubelet is posting ready status. AppArmor enabled
      reason: KubeletReady
      status: "True"
      type: Ready
    daemonEndpoints:
      kubeletEndpoint:
        Port: 10250
    images:
    - names:
      - docker.io/rancher/rancher-agent@sha256:8265848ee065fac0e20774aec497ce3ee3c421774e20b312894c0390bd5759ec
      - docker.io/rancher/rancher-agent:v2.8.0
      sizeBytes: 589293957
    - names:
      - docker.io/rancher/nginx-ingress-controller@sha256:40b389fcbfc019e1adf2e6aa9b1a75235455a2e78fcec3261f867064afd801cb
      - docker.io/rancher/nginx-ingress-controller:nginx-1.9.3-hardened1
      sizeBytes: 338716074
    - names:
      - docker.io/rancher/hardened-kubernetes@sha256:601131107423880960986f5f176a341d5205067a33ac713e2fa96db5455e0b61
      - docker.io/rancher/hardened-kubernetes:v1.27.8-rke2r1-build20231115
      sizeBytes: 202813375
    - names:
      - docker.io/rancher/mirrored-cilium-cilium@sha256:59f2a336d264ddeb3727dcdb4ba300d6838cf9a5484b55f321ef11611444b4fb
      - docker.io/rancher/mirrored-cilium-cilium:v1.14.4
      sizeBytes: 180997179
    - names:
      - docker.io/rancher/shell@sha256:098c29e11ae9bd5ef8e58401a2892aae7491f71bc2e02ce211fe67d8544b35f9
      - docker.io/rancher/shell:v0.1.22
      sizeBytes: 116067246
    - names:
      - docker.io/rancher/fleet-agent@sha256:2f989b745c8dab134149c76ae38d03cbee16184a7c094edfbff8e75dfec88e60
      - docker.io/rancher/fleet-agent:v0.9.0
      sizeBytes: 113957305
    - names:
      - docker.io/rancher/shell@sha256:92648060ee5e51804f52521f40840701226856b501c49966182aa943a8c8c399
      - docker.io/rancher/shell:v0.1.18
      sizeBytes: 112035179
    - names:
      - docker.io/rancher/mirrored-prometheus-prometheus@sha256:753651d8b1353d936f4a9a87430a0375bdf30d7deda34eb2b95c65f2fbb33c6a
      - docker.io/rancher/mirrored-prometheus-prometheus:v2.42.0
      sizeBytes: 87552983
    - names:
      - docker.io/rancher/mirrored-grafana-grafana@sha256:5f41c412af6f9957aa2997ca7425608fd5f648391b71f264b56a78b1e36b777c
      - docker.io/rancher/mirrored-grafana-grafana:9.1.5
      sizeBytes: 84685237
    - names:
      - ghcr.io/echoaudio/streaming-server@sha256:9cf7f63e30150e4b57d422948fe49c345b780eedf4ae260c17cbb03dc66beb2b
      - ghcr.io/echoaudio/streaming-server:0.0.3
      sizeBytes: 82548402
    - names:
      - docker.io/rancher/hardened-cni-plugins@sha256:fc679194dee6d8e9fbe1cc1acf48fe8d0ac72dce3ec08c33040d43a9d45d0e45
      - docker.io/rancher/hardened-cni-plugins:v1.2.0-build20231009
      sizeBytes: 77297628
    - names:
      - docker.io/rancher/hardened-coredns@sha256:3bbaf490bb8cd2d5582f6873e223bb2acec83cbcef88b398871f27a88ee1f820
      - docker.io/rancher/hardened-coredns:v1.10.1-build20230607
      sizeBytes: 62931421
    - names:
      - docker.io/rancher/hardened-k8s-metrics-server@sha256:98ce451bbe5ce332a93003aeeaf9da151404ba8a02283dacb6e464de40f22afd
      - docker.io/rancher/hardened-k8s-metrics-server:v0.6.3-build20230607
      sizeBytes: 61446216
    - names:
      - docker.io/rancher/hardened-cluster-autoscaler@sha256:462d646604da3600521bff37608e1c03af322c30983c97c039fdc4afb7b69836
      - docker.io/rancher/hardened-cluster-autoscaler:v1.8.6-build20230609
      sizeBytes: 57381297
    - names:
      - docker.io/rancher/mirrored-prometheus-alertmanager@sha256:2502d0e7b4828e03e19109e4ebefef2a6df686bb8c28f5087abab48fbdf5916f
      - docker.io/rancher/mirrored-prometheus-alertmanager:v0.25.0
      sizeBytes: 28924629
    - names:
      - docker.io/rancher/mirrored-prometheus-adapter-prometheus-adapter@sha256:acfa9a179703a374b171428b3d48afbda8fb0294f6f2f8512c14b09ba21d19ce
      - docker.io/rancher/mirrored-prometheus-adapter-prometheus-adapter:v0.10.0
      sizeBytes: 27671581
    - names:
      - docker.io/rancher/system-agent@sha256:d2ed3ead35de4103739b98df11a758abdb1f5e84edaf3a59a4cf8c73bcd750d4
      - docker.io/rancher/system-agent:v0.3.4-suc
      sizeBytes: 25179250
    - names:
      - docker.io/rancher/rancher-webhook@sha256:51e183d64c785f1f4d2b67912c10960e28547959366ad3f8bb69af43cd0bf5bb
      - docker.io/rancher/rancher-webhook:v0.4.2
      sizeBytes: 24556587
    - names:
      - docker.io/rancher/mirrored-kiwigrid-k8s-sidecar@sha256:ef7daf7eeac7368fe2bd029f797fb9f2c8e96ad4fb667a4e58c5dea9ba42181a
      - docker.io/rancher/mirrored-kiwigrid-k8s-sidecar:1.24.6
      sizeBytes: 24304028
    - names:
      - docker.io/rancher/mirrored-cilium-operator-generic@sha256:b552e7248586fbf5107760c6f73510d436352e1acc9f10eab70bf43d47d65d65
      - docker.io/rancher/mirrored-cilium-operator-generic:v1.14.4
      sizeBytes: 22907182
    - names:
      - docker.io/rancher/mirrored-sig-storage-snapshot-controller@sha256:8776214c491da926a9a808b4ad832c297262defeb2d736240ebed4be8d9f3512
      - docker.io/rancher/mirrored-sig-storage-snapshot-controller:v6.2.1
      sizeBytes: 22606535
    - names:
      - docker.io/rancher/mirrored-sig-storage-snapshot-validation-webhook@sha256:5eb55a850de857d72bc5827aed89230b61eb309e1ab1c5bbf0c3c48ad7a6a679
      - docker.io/rancher/mirrored-sig-storage-snapshot-validation-webhook:v6.2.2
      sizeBytes: 19686042
    - names:
      - docker.io/hetznercloud/hcloud-cloud-controller-manager@sha256:4b3cc4117c6f8859931f1fa4b71ae5db85769ed646fac16667460387f3f1ab09
      - docker.io/hetznercloud/hcloud-cloud-controller-manager:v1.19.0
      sizeBytes: 19223959
    - names:
      - docker.io/rancher/mirrored-ingress-nginx-kube-webhook-certgen@sha256:0d272287f914afc13a5dbcc35f185d50f07fd9f5e71285f11dfd9b06b21d9d9d
      - docker.io/rancher/mirrored-ingress-nginx-kube-webhook-certgen:v20221220-controller-v1.5.1-58-g787ea74b6
      sizeBytes: 18324365
    - names:
      - docker.io/nginxdemos/hello@sha256:60d4b7f1e4b0cc7f97a1078fc964624e53d90040b287ac0dd6473d2bc3462c1b
      - docker.io/nginxdemos/hello:latest
      sizeBytes: 17611523
    - names:
      - quay.io/jetstack/cert-manager-controller@sha256:9c67cf8c92d8693f9b726bec79c2a84d2cebeb217af6947355601dec4acfa966
      - quay.io/jetstack/cert-manager-controller:v1.13.2
      sizeBytes: 17505581
    - names:
      - quay.io/jetstack/cert-manager-ctl@sha256:4d9fce2c050eaadabedac997d9bd4a003341e9172c3f48fae299d94fa5f03435
      - quay.io/jetstack/cert-manager-ctl:v1.13.2
      sizeBytes: 16439564
    - names:
      - docker.io/rancher/mirrored-library-nginx@sha256:1a12a954822f9e2b3c5b736c1048148749696bc280c4ad3ca31f45c46b6d0fee
      - docker.io/rancher/mirrored-library-nginx:1.24.0-alpine
      sizeBytes: 16239471
    - names:
      - docker.io/rancher/mirrored-prometheus-operator-prometheus-operator@sha256:e29dde1213ce02795ffa0f657913aa7c3b8302c1b198c45e85e72c9d155e6e8d
      - docker.io/rancher/mirrored-prometheus-operator-prometheus-operator:v0.65.1
      sizeBytes: 15304350
    - names:
      - quay.io/jetstack/cert-manager-webhook@sha256:0a9470447ebf1d3ff1c172e19268be12dc26125ff83320d456f6826c677c0ed2
      - quay.io/jetstack/cert-manager-webhook:v1.13.2
      sizeBytes: 13792116
    - names:
      - quay.io/jetstack/cert-manager-cainjector@sha256:858fee0c4af069d0e87c08fd0943f0091434e05f945d222875fc1f3d36c41616
      - quay.io/jetstack/cert-manager-cainjector:v1.13.2
      sizeBytes: 12114989
    - names:
      - docker.io/rancher/mirrored-kube-state-metrics-kube-state-metrics@sha256:db18c6616a660fb9776ffc1eff0a3f367141d9f7baf7b06a62433871c6c5acdd
      - docker.io/rancher/mirrored-kube-state-metrics-kube-state-metrics:v2.6.0
      sizeBytes: 10842633
    - names:
      - docker.io/rancher/kubectl@sha256:962ac9d5ffef082196730eea8fcd1657b5d21feeec36e5d398a092154e1fa48f
      - docker.io/rancher/kubectl:v1.20.2
      sizeBytes: 10778078
    - names:
      - docker.io/rancher/mirrored-prometheus-node-exporter@sha256:3429a8174d3630f047a6bd2b8ac961557e45b34a3ac7ffaf759d1ed6cc48431b
      - docker.io/rancher/mirrored-prometheus-node-exporter:v1.3.1
      sizeBytes: 9717469
    - names:
      - docker.io/rancher/pushprox-client@sha256:a41cd716c41208909102acfcb4b97d3c556f42c0b35f9123738d39759f3c2aec
      - docker.io/rancher/pushprox-client:v0.1.0-rancher2-client
      sizeBytes: 5814638
    - names:
      - docker.io/rancher/pushprox-proxy@sha256:3126395b966c1e52bb64a02d6967f856d0a72263349178402364dcab0cafb289
      - docker.io/rancher/pushprox-proxy:v0.1.0-rancher2-proxy
      sizeBytes: 5666142
    - names:
      - docker.io/rancher/mirrored-prometheus-operator-prometheus-config-reloader@sha256:2ede9ce5dc780c4565d49cd49f52097c25f1e99b246383bfd3676c508ee115bf
      - docker.io/rancher/mirrored-prometheus-operator-prometheus-config-reloader:v0.65.1
      sizeBytes: 4894643
    - names:
      - docker.io/rancher/mirrored-pause@sha256:74c4244427b7312c5b901fe0f67cbc53683d06f4f24c6faee65d4182bf0fa893
      - docker.io/rancher/mirrored-pause:3.6
      sizeBytes: 253243
    nodeInfo:
      architecture: arm64
      bootID: 40a2ca48-5604-4437-9d4b-8364a54df303
      containerRuntimeVersion: containerd://1.7.7-k3s1
      kernelVersion: 6.1.0-13-arm64
      kubeProxyVersion: v1.27.8+rke2r1
      kubeletVersion: v1.27.8+rke2r1
      machineID: 12f413bc49d54f6b8124a8260374a8fc
      operatingSystem: linux
      osImage: Debian GNU/Linux 12 (bookworm)
      systemUUID: 12f413bc-49d5-4f6b-8124-a8260374a8fc
- apiVersion: v1
  kind: Node
  metadata:
    annotations:
      alpha.kubernetes.io/provided-node-ip: 159.69.249.82
      cluster.x-k8s.io/cluster-name: ec1
      cluster.x-k8s.io/cluster-namespace: fleet-default
      cluster.x-k8s.io/labels-from-machine: ""
      cluster.x-k8s.io/machine: ec1-fsn1-cax21-master-85567cb78dxpdx5w-8zl56
      cluster.x-k8s.io/owner-kind: MachineSet
      cluster.x-k8s.io/owner-name: ec1-fsn1-cax21-master-85567cb78dxpdx5w
      etcd.rke2.cattle.io/local-snapshots-timestamp: "2024-01-03T10:00:04Z"
      etcd.rke2.cattle.io/node-address: 159.69.249.82
      etcd.rke2.cattle.io/node-name: -aa7b590b
      management.cattle.io/pod-limits: '{"cpu":"100m","memory":"128Mi"}'
      management.cattle.io/pod-requests: '{"cpu":"1200m","memory":"2276Mi","pods":"16"}'
      node.alpha.kubernetes.io/ttl: "0"
      rke2.io/encryption-config-hash: reencrypt_finished-cdfdcca262bb7acde3eab6d38663ef554e0b73a5878a82a297ab8d80282e1351
      rke2.io/node-args: '["server","--agent-token","********","--cloud-provider-name","external","--cni","cilium","--disable-kube-proxy","false","--etcd-expose-metrics","false","--etcd-snapshot-retention","5","--etcd-snapshot-schedule-cron","0
        */5 * * *","--kube-controller-manager-arg","cert-dir=/var/lib/rancher/rke2/server/tls/kube-controller-manager","--kube-controller-manager-arg","secure-port=10257","--kube-controller-manager-extra-mount","/var/lib/rancher/rke2/server/tls/kube-controller-manager:/var/lib/rancher/rke2/server/tls/kube-controller-manager","--kube-scheduler-arg","cert-dir=/var/lib/rancher/rke2/server/tls/kube-scheduler","--kube-scheduler-arg","secure-port=10259","--kube-scheduler-extra-mount","/var/lib/rancher/rke2/server/tls/kube-scheduler:/var/lib/rancher/rke2/server/tls/kube-scheduler","--node-label","rke.cattle.io/machine=a600dbce-039a-40c6-b9f3-151436b3701a","--node-taint","node-role.kubernetes.io/control-plane:NoSchedule","--node-taint","node-role.kubernetes.io/etcd:NoExecute","--private-registry","/etc/rancher/rke2/registries.yaml","--protect-kernel-defaults","false","--tls-san","10.0.0.1","--tls-san","10.0.0.2","--tls-san","10.0.0.3","--tls-san","10.0.0.4","--tls-san","10.0.0.5","--tls-san","10.0.0.6","--tls-san","10.0.0.7","--tls-san","10.0.0.8","--tls-san","10.0.0.9","--tls-san","echo-cluster.com","--token","********"]'
      rke2.io/node-config-hash: D6ULORYG2VSHVEDYDX46D6QH5LIBYQMCPA7CUOB6AYWNCQHIACNQ====
      rke2.io/node-env: '{}'
      volumes.kubernetes.io/controller-managed-attach-detach: "true"
    creationTimestamp: "2023-12-26T17:42:09Z"
    finalizers:
    - wrangler.cattle.io/node
    - wrangler.cattle.io/managed-etcd-controller
    labels:
      beta.kubernetes.io/arch: arm64
      beta.kubernetes.io/instance-type: cax21
      beta.kubernetes.io/os: linux
      failure-domain.beta.kubernetes.io/region: fsn1
      failure-domain.beta.kubernetes.io/zone: fsn1-dc14
      kubernetes.io/arch: arm64
      kubernetes.io/hostname: ec1-fsn1-cax21-master-7eb9d551-rxtkm
      kubernetes.io/os: linux
      node-role.kubernetes.io/control-plane: "true"
      node-role.kubernetes.io/etcd: "true"
      node-role.kubernetes.io/master: "true"
      node.kubernetes.io/instance-type: cax21
      plan.upgrade.cattle.io/system-agent-upgrader: d3afd4eb884edc7a77db901446479abc45b155929a9d0ef1cb138405
      rke.cattle.io/machine: a600dbce-039a-40c6-b9f3-151436b3701a
      topology.kubernetes.io/region: fsn1
      topology.kubernetes.io/zone: fsn1-dc14
    name: ec1-fsn1-cax21-master-7eb9d551-rxtkm
    resourceVersion: "4226044"
    uid: f3a6acaa-f1a2-426c-9261-ee1797e227a2
  spec:
    podCIDR: 10.42.3.0/24
    podCIDRs:
    - 10.42.3.0/24
    providerID: hcloud://41041835
    taints:
    - effect: NoSchedule
      key: node-role.kubernetes.io/control-plane
    - effect: NoExecute
      key: node-role.kubernetes.io/etcd
  status:
    addresses:
    - address: 159.69.249.82
      type: ExternalIP
    - address: ec1-fsn1-cax21-master-7eb9d551-rxtkm
      type: Hostname
    - address: 10.0.0.2
      type: InternalIP
    allocatable:
      cpu: "4"
      ephemeral-storage: "76305544747"
      hugepages-1Gi: "0"
      hugepages-2Mi: "0"
      hugepages-32Mi: "0"
      hugepages-64Ki: "0"
      memory: 7934516Ki
      pods: "110"
    capacity:
      cpu: "4"
      ephemeral-storage: 78439088Ki
      hugepages-1Gi: "0"
      hugepages-2Mi: "0"
      hugepages-32Mi: "0"
      hugepages-64Ki: "0"
      memory: 7934516Ki
      pods: "110"
    conditions:
    - lastHeartbeatTime: "2023-12-26T17:42:35Z"
      lastTransitionTime: "2023-12-26T17:42:35Z"
      message: Cilium is running on this node
      reason: CiliumIsUp
      status: "False"
      type: NetworkUnavailable
    - lastHeartbeatTime: "2024-01-03T13:03:57Z"
      lastTransitionTime: "2023-12-26T17:42:09Z"
      message: kubelet has sufficient memory available
      reason: KubeletHasSufficientMemory
      status: "False"
      type: MemoryPressure
    - lastHeartbeatTime: "2024-01-03T13:03:57Z"
      lastTransitionTime: "2023-12-26T17:42:09Z"
      message: kubelet has no disk pressure
      reason: KubeletHasNoDiskPressure
      status: "False"
      type: DiskPressure
    - lastHeartbeatTime: "2024-01-03T13:03:57Z"
      lastTransitionTime: "2023-12-26T17:42:09Z"
      message: kubelet has sufficient PID available
      reason: KubeletHasSufficientPID
      status: "False"
      type: PIDPressure
    - lastHeartbeatTime: "2024-01-03T13:03:57Z"
      lastTransitionTime: "2023-12-27T17:04:40Z"
      message: kubelet is posting ready status. AppArmor enabled
      reason: KubeletReady
      status: "True"
      type: Ready
    daemonEndpoints:
      kubeletEndpoint:
        Port: 10250
    images:
    - names:
      - docker.io/rancher/rancher-agent@sha256:8265848ee065fac0e20774aec497ce3ee3c421774e20b312894c0390bd5759ec
      - docker.io/rancher/rancher-agent:v2.8.0
      sizeBytes: 589293957
    - names:
      - docker.io/rancher/hardened-kubernetes@sha256:601131107423880960986f5f176a341d5205067a33ac713e2fa96db5455e0b61
      - docker.io/rancher/hardened-kubernetes:v1.27.8-rke2r1-build20231115
      sizeBytes: 202813375
    - names:
      - docker.io/rancher/mirrored-cilium-cilium@sha256:59f2a336d264ddeb3727dcdb4ba300d6838cf9a5484b55f321ef11611444b4fb
      - docker.io/rancher/mirrored-cilium-cilium:v1.14.4
      sizeBytes: 180997179
    - names:
      - docker.io/rancher/hardened-cni-plugins@sha256:fc679194dee6d8e9fbe1cc1acf48fe8d0ac72dce3ec08c33040d43a9d45d0e45
      - docker.io/rancher/hardened-cni-plugins:v1.2.0-build20231009
      sizeBytes: 77297628
    - names:
      - docker.io/rancher/hardened-etcd@sha256:c4d25c075d5d61b1860ae5496d1acc8f88dd3a8be6024b37207901da744efa08
      - docker.io/rancher/hardened-etcd:v3.5.9-k3s1-build20230802
      sizeBytes: 62943702
    - names:
      - docker.io/rancher/hardened-coredns@sha256:3bbaf490bb8cd2d5582f6873e223bb2acec83cbcef88b398871f27a88ee1f820
      - docker.io/rancher/hardened-coredns:v1.10.1-build20230607
      sizeBytes: 62931421
    - names:
      - docker.io/rancher/system-agent@sha256:d2ed3ead35de4103739b98df11a758abdb1f5e84edaf3a59a4cf8c73bcd750d4
      - docker.io/rancher/system-agent:v0.3.4-suc
      sizeBytes: 25179250
    - names:
      - docker.io/rancher/mirrored-cilium-operator-generic@sha256:b552e7248586fbf5107760c6f73510d436352e1acc9f10eab70bf43d47d65d65
      - docker.io/rancher/mirrored-cilium-operator-generic:v1.14.4
      sizeBytes: 22907182
    - names:
      - docker.io/rancher/mirrored-prometheus-node-exporter@sha256:3429a8174d3630f047a6bd2b8ac961557e45b34a3ac7ffaf759d1ed6cc48431b
      - docker.io/rancher/mirrored-prometheus-node-exporter:v1.3.1
      sizeBytes: 9717469
    - names:
      - docker.io/rancher/system-upgrade-controller@sha256:c730c4ec8dc914b94be13df77d9b58444277330a2bdf39fe667beb5af2b38c0b
      - docker.io/rancher/system-upgrade-controller:v0.13.1
      sizeBytes: 9617607
    - names:
      - docker.io/rancher/pushprox-client@sha256:a41cd716c41208909102acfcb4b97d3c556f42c0b35f9123738d39759f3c2aec
      - docker.io/rancher/pushprox-client:v0.1.0-rancher2-client
      sizeBytes: 5814638
    - names:
      - docker.io/rancher/mirrored-pause@sha256:74c4244427b7312c5b901fe0f67cbc53683d06f4f24c6faee65d4182bf0fa893
      - docker.io/rancher/mirrored-pause:3.6
      sizeBytes: 253243
    nodeInfo:
      architecture: arm64
      bootID: 74175130-5980-4625-ad97-0cf1a94e7abb
      containerRuntimeVersion: containerd://1.7.7-k3s1
      kernelVersion: 6.1.0-13-arm64
      kubeProxyVersion: v1.27.8+rke2r1
      kubeletVersion: v1.27.8+rke2r1
      machineID: e59a49adf4794ed1a1dede3a6431304a
      operatingSystem: linux
      osImage: Debian GNU/Linux 12 (bookworm)
      systemUUID: e59a49ad-f479-4ed1-a1de-de3a6431304a
kind: List
metadata:
  resourceVersion: ""

@manuelbuil
Copy link
Contributor

manuelbuil commented Jan 3, 2024
edited
Loading

I think @brandond has a point. In any document explaining how to deploy Kubernetes on Hetzner cloud, they add an extra flag to include the internalIP in the certificate SAN, e.g. https://community.hetzner.com/tutorials/install-kubernetes-cluster#step-33---setup-control-plane. The hetzner cloud provider must be acting a bit differently compared to other cloud providers. Could you deploy rke2 using the --tls-san flag?

@NILAXY
Copy link
Author

NILAXY commented Jan 3, 2024

I think @brandond has a point. In any document explaining how to deploy Kubernetes on Hetzner cloud, they add an extra flag to include the internalIP in the certificate SAN, e.g. https://community.hetzner.com/tutorials/install-kubernetes-cluster#step-33---setup-control-plane. The hetzner cloud provider must be acting a bit differently compared to other cloud providers. Could you deploy rke2 using the --tls-san flag?

I'm already using --tls-san for this cluster. If "TLS Alternate Names" is the correct setting for the flag.
WP5pYoHM

@brandond
Copy link
Member

brandond commented Jan 3, 2024
edited
Loading

The --tls-san flag only controls the certs used by the supervisor and apiserver. What you're looking at here is the kubelet cert.

X509v3 Subject Alternative Name: 
                DNS:ec1-fsn1-cax-21-worker-51522148-4d5fl,
                DNS:localhost, 
                IP Address:127.0.0.1, 
                IP Address:49.12.216.49

  metadata:
    annotations:
      alpha.kubernetes.io/provided-node-ip: 49.12.216.49

  status:
    addresses:
    - address: 49.12.216.49
      type: ExternalIP
    - address: ec1-fsn1-cax-21-worker-51522148-4d5fl
      type: Hostname
    - address: 10.0.0.5
      type: InternalIP

The node info shows that the kubelet has detected only the node's public IP, but the hetzner cloud provider has set the private IP as the internal IP, and the public as the public. You should set the node's --node-ip and --node-external-ip to match what hetzner will use, so that the kubelet serving cert has the correct IPs in the SAN list.

@NILAXY
Copy link
Author

NILAXY commented Jan 3, 2024

Oh okay, and how can i do that? Shouldn’t the Hetzner Cloud Controller do that for me? Or is this caused by Rancher provisioning the nodes?

@brandond
Copy link
Member

brandond commented Jan 3, 2024

You haven't configured the node IPs at all. RKE2 and the kubelet are detecting 49.12.216.49 as the primary interface address, so that is the only IP that the kubelet cert is good for. Hetzner is also aware of the 10.0.0.5 IP, and sets that as the node primary (internal) IP despite the other components not being aware of it.

@NILAXY
Copy link
Author

NILAXY commented Jan 4, 2024

And how can i change that? Can this be configured to be set automatically, so after provisioning by rancher it's ready to go?

@brandond
Copy link
Member

brandond commented Jan 4, 2024

You could try configuring the apiserver kubelet-preferred-address-types arg to prefer the external IP over the internal IP. Anything else around changing the address order set on the node would need to be done on the hetzner cloud provider side.

@NILAXY
Copy link
Author

NILAXY commented Jan 4, 2024

The default for --kubelet-preferred-address-types is Hostname,InternalDNS,InternalIP,ExternalDNS,ExternalIP.
Isn't this the right sequence already?

@brandond
Copy link
Member

brandond commented Jan 4, 2024

RKE2 uses a different default order than kubeadm. I would probably recommend externalip, hostname since the others may not work well with what hetzner is setting up for you.

@NILAXY
Copy link
Author

NILAXY commented Jan 4, 2024

I've set it to Hostname,ExternalDNS,ExternalIP,InternalDNS,InternalIP now and it seems to be working. Thanks guys! :)

@caroline-suse-rancher
Copy link
Contributor

Closing :)

@NILAXY
Copy link
Author

NILAXY commented Jan 16, 2024
edited
Loading

I just noticed that some metrics are not scraped, the error message in the rke2-metrics-server is:

Failed to scrape node" err="Get \"https://10.0.0.6:10250/metrics/resource\": tls: failed to verify certificate: x509: certificate is valid for 127.0.0.1, 49.13.xx.xx, not 10.0.0.6

Can i set --kubelet-preferred-address-types for the metrics server as well?

@brandond
Copy link
Member

Yes, you should be able to do that via helm chart config.

@NILAXY
Copy link
Author

NILAXY commented Jan 16, 2024

Where exactly can i change the helm chart values of the metrics server in the rancher ui and which value would i need to set? I can't find it when editing the cluster.

@brandond
Copy link
Member

Via Rancher UI, you would can use the User Addon section of the cluster management UI to deploy a HelmChartConfig for the rke2-metrics-server chart. Ref:

@NILAXY
Copy link
Author

NILAXY commented Jan 17, 2024

Added this to "Additional Manifest" in the Add-On Config, and its working now:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-metrics-server
  namespace: kube-system
spec:
  valuesContent: |-
    args: 
      - --kubelet-preferred-address-types=ExternalIP,InternalIP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@brandond @manuelbuil @NILAXY @caroline-suse-rancher