New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Webhook certs generation failing due to readonly volumeMount #2347
Comments
I think it doesn't relate to |
The secret starts out as empty though and is mounted at It seems to me a chicken-and-egg problem, where the folder should be read-only once the certs are generated, but writable when the certs need to be generated (initially) or rotated (at expiration). |
@kreeuwijk can you clarify a bit better the issue you are having (logs aside)? In case sometimes it never reconciles, can you provide the logs of that case? |
it's also weird we never hit this on CI (nor users reported it) |
It is an intermittent issue, sometimes the certificates do get generated normally, even though that shouldn't be possible on a read-only filesystem. However when the issue occurs, no amount of restarting the controller pod will solve it. For some reason though, repaving the control plane (these are CAPI clusters) will result in the problem going away. If I don't perform this workaround, the only thing that works is setting the readOnly option for the volumeMount to false and running the controller once in that config, so that it can successfully store the keys in |
MetalLB Version
0.13.11
Deployment method
Charts
Main CNI
Calico
Kubernetes Version
1.27.1
Cluster Distribution
kubeadm
Describe the bug
When deploying MetalLB on a fresh cluster, sometimes the controller pod is unable to generate the set of certificates for the webhook. The contents of
/tmp/k8s-webhook-server/serving-certs
stays empty. This eventually results in thecaBundle
not getting injected into the webhook config and calls to the webhook result in ax509: certificate signed by unknown authority
error.Upon troubleshooting this, I found that the helm charts for all versions of MetalLB mount this directory as readOnly for the controller deployment:
If I shell into the controller pod and try to
touch /tmp/k8s-webhook-server/serving-certs/test.txt
I get aRead-only file system
error. It seems obvious this prevents the certRotator from saving a set of certificates there.If I set
readOnly: false
, the certificates get generated without a problem and the webhook calls succeed normally.it seems to be a bug in Kubernetes that sometimes the pod can still write to the volumeMount even though the volumeMount is set as readOnly. But why is
readOnly: true
used in the first place?To Reproduce
/tmp/k8s-webhook-server/serving-certs
location is read-onlyExpected Behavior
Certificate generation works normally when the controller pod starts
Additional Context
It is unclear to me why certificate generation sometimes still succeeds, even though it shouldn't. When this happens, the rotator logs
Even though it then logs
I've read and agree with the following
I've read and agree with the following
The text was updated successfully, but these errors were encountered: