Misconfigured kubeletctl or the port config is ignored
ryuzakyl opened this issue ยท 6 comments
Summary
Due to a possible misconfiguration on my side of kubeletctl or perhaps another reason, the port being used to comunicate with the kubelet API is not correct. The port being used (39261) is the cluster port specified on my kubeconfig file (see Environment setup section).
Steps to Reproduce
Steps to reproduce the behavior:
- Download the precompiled
kubeletctlbinary with:
$ curl -LO https://github.com/cyberark/kubeletctl/releases/download/v1.6/kubeletctl_linux_amd64 && chmod a+x ./kubeletctl_linux_amd64 && mv ./kubeletctl_linux_amd64 /usr/local/bin/kubeletctl- Try to check worker node
kubelet's health:
$ kubeletctl -s 172.18.0.3 healthz๐ NOTE:
The target worker node has the IP172.18.0.3.
Expected Results
Get the proper output from the kubelet. In this case the endpoint tested was healthz. This is the output obtained using curl instead of kubeletctl:
$ curl -k https://172.18.0.2:10250/healthz
ok
Actual Results (including error logs, if applicable)
Using the default port for kubelet (port 10250) or setting it manually both result in the wrong address being used.
With the default port:
$ kubeletctl -s 172.18.0.3 healthz
[*] Using KUBECONFIG environment variable
[*] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
[*] Failed to run HTTP request with error: Get "https://172.18.0.3:39261/healthz/": dial tcp 172.18.0.3:39261: connect: connection refused$ kubeletctl -s 172.18.0.3 --port 10250 healthz
[*] Using KUBECONFIG environment variable
[*] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
[*] The reponse failed with status: 404
[*] Message: 404 page not foundReproducible
- Always
- Sometimes
- Non-Reproducible
Version/Tag number
Product version is the following:
$ kubeletctl version
[*] Using KUBECONFIG environment variable
[*] You can ignore it by modifying the KUBECONFIG environment variable, file "~/.kube/config" or use the "-i" switch
_ _ _ _
| | | | | | _ _ | |
| | _ _ _| |__ _____| | _____ _| |_ ____ _| |_| |
| |_/ ) | | | _ \| ___ | || ___ (_ _) ___|_ _) |
| _ (| |_| | |_) ) ____| || ____| | |( (___ | |_| |
|_| \_)____/|____/|_____)\_)_____) \__)____) \__)\_)
Author: Eviatar Gerzi
Version: 1.6
Environment setup
Running on local development box:
$ uname -a
Linux <box-name> 5.0.0-32-generic #34~18.04.2-Ubuntu SMP Thu Oct 10 10:36:02 UTC 2019 x86_64 x86_64 x86_64 GNU/LinuxKubernetes version and cluster info:
$ kubectl cluster-info
Kubernetes master is running at https://127.0.0.1:39261
KubeDNS is running at https://127.0.0.1:39261/api/v1/namespaces/kube-system/services/kube-dns:dns/proxyConfig file pointed by $KUBECONFIG env var:
$ cat $KUBECONFIG
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: BASE64_CERTIFICATE_AUTHORITY_DATA
server: https://127.0.0.1:39261
name: kind-cluster-name
contexts:
- context:
cluster: kind-cluster-name
user: kind-cluster-name
name: kind-cluster-name
current-context: kind-cluster-name
kind: Config
preferences: {}
users:
- name: kind-cluster-name
user:
client-certificate-data: BASE64_ENCODED_CERTIFICATE_DATA
client-key-data: BASE64_ENCODED_KEY_DATAAdditional Information
The kubernetes flavor used for this scenario is KinD
The extra configuration for the worker nodes is the following:
- role: worker
kubeadmConfigPatches:
- |
kind: JoinConfiguration
nodeRegistration:
kubeletExtraArgs:
anonymous-auth: "true"
authorization-mode: "AlwaysAllow"This is mainly to allow unauthenticated requests to the kubelet api.
@ryuzakyl Thank you for the informative response!
I see the problem, I will fix it. I will update you once it will be ready.
@ryuzakyl Can you try:
kubeletctl -s 172.18.0.3 -i healthz
There is the -i switch that ignores the config file.
I had also previously tried with the -i switch, but didn't include it on the initial bug report. I suspect the URL being queried is not the proper one and that's why I'm getting the HTTP 404.
$ kubeletctl -s 172.18.0.3 -i healthz
[*] The reponse failed with status: 404
[*] Message: 404 page not foundIt would be nice to have some sort of verbose mode (-v or -vv, etc.) to know which URLs are being queried and thus, having a better understanding of the kubelet API.
I see what is the problem. I debugged it and if there is not input arguments it creates a url like that: https://<node_ip>:10250/healthz/ instead of https://<node_ip>:10250/healthz/ (without the last /).
Can you please try a differnt command? Like that:
kubeletctl -s 172.18.0.3 -i pods
Does this commands works?
Regarding the verbose, this is a great idea, I will add it to the TODO list.
You can try version 1.7:
https://github.com/cyberark/kubeletctl/releases/tag/v1.7
It works!!! ๐ ๐ ๐
Healthcheck:
$ kubeletctl -s 172.18.0.3 -i healthz
okNode pods:
$ kubeletctl -s 172.18.0.3 -i pods
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Pods from Kubelet โ
โโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโค
โ โ POD โ NAMESPACE โ CONTAINERS โ
โโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโค
โ 1 โ kube-proxy-6jtcx โ kube-system โ kube-proxy โ
โ โ โ โ โ
โโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโค
โ 2 โ kindnet-886fl โ kube-system โ kindnet-cni โ
โ โ โ โ โ
โโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโค
โ 3 โ coredns-74ff55c5b-r5llh โ kube-system โ coredns โ
โ โ โ โ โ
โโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโkubelet config:
$ kubeletctl -s 172.18.0.3 -i configz
{
"kubeletconfig": {
"enableServer": true,
"staticPodPath": "/etc/kubernetes/manifests",
"syncFrequency": "1m0s",
"fileCheckFrequency": "20s",
"httpCheckFrequency": "20s",
"address": "0.0.0.0",
"port": 10250,
"tlsCertFile": "/var/lib/kubelet/pki/kubelet.crt",
"tlsPrivateKeyFile": "/var/lib/kubelet/pki/kubelet.key",
"rotateCertificates": true,
"authentication": {
"x509": {
"clientCAFile": "/etc/kubernetes/pki/ca.crt"
},
"webhook": {
"enabled": true,
"cacheTTL": "2m0s"
},
"anonymous": {
"enabled": true
}
},
"authorization": {
"mode": "AlwaysAllow",
"webhook": {
"cacheAuthorizedTTL": "5m0s",
"cacheUnauthorizedTTL": "30s"
}
},
"registryPullQPS": 5,
"registryBurst": 10,
"eventRecordQPS": 5,
"eventBurst": 10,
"enableDebuggingHandlers": true,
"healthzPort": 10248,
"healthzBindAddress": "127.0.0.1",
"oomScoreAdj": -999,
"clusterDomain": "cluster.local",
"clusterDNS": ["10.96.0.10"],
"streamingConnectionIdleTimeout": "4h0m0s",
"nodeStatusUpdateFrequency": "10s",
"nodeStatusReportFrequency": "5m0s",
"nodeLeaseDurationSeconds": 40,
"imageMinimumGCAge": "2m0s",
"imageGCHighThresholdPercent": 100,
"imageGCLowThresholdPercent": 80,
"volumeStatsAggPeriod": "1m0s",
"cgroupRoot": "/kubelet",
"cgroupsPerQOS": true,
"cgroupDriver": "cgroupfs",
"cpuManagerPolicy": "none",
"cpuManagerReconcilePeriod": "10s",
"topologyManagerPolicy": "none",
"topologyManagerScope": "container",
"runtimeRequestTimeout": "2m0s",
"hairpinMode": "promiscuous-bridge",
"maxPods": 110,
"podPidsLimit": -1,
"resolvConf": "/etc/resolv.conf",
"cpuCFSQuota": true,
"cpuCFSQuotaPeriod": "100ms",
"nodeStatusMaxImages": 50,
"maxOpenFiles": 1000000,
"contentType": "application/vnd.kubernetes.protobuf",
"kubeAPIQPS": 5,
"kubeAPIBurst": 10,
"serializeImagePulls": true,
"evictionHard": {
"imagefs.available": "0%",
"nodefs.available": "0%",
"nodefs.inodesFree": "0%"
},
"evictionPressureTransitionPeriod": "5m0s",
"enableControllerAttachDetach": true,
"makeIPTablesUtilChains": true,
"iptablesMasqueradeBit": 14,
"iptablesDropBit": 15,
"failSwapOn": false,
"containerLogMaxSize": "10Mi",
"containerLogMaxFiles": 5,
"configMapAndSecretChangeDetectionStrategy": "Watch",
"enforceNodeAllocatable": ["pods"],
"volumePluginDir": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/",
"providerID": "kind://docker/tfm-k8s/tfm-k8s-worker",
"logging": {
"format": "text"
},
"enableSystemLogHandler": true,
"shutdownGracePeriod": "0s",
"shutdownGracePeriodCriticalPods": "0s"
}
}