TLS handshake error from API server #6898
Comments
sknmi
added
bug
|
fixed with |
|
I don't think this issue should be closed. I am seeing a similar error in my log messages and require the webhook to remain enabled to facilitate the conversion to the latest api version for my resources. |
|
I agree with @levinedaniel. What is the reason to mark solution as closed with The webhook is broken. |
|
Same, Is disabling webhook an ok solution or some functionality will not work? |
|
cc @sknmi message above |
|
@Hronom reopened :) |
|
Also seeing this issue after upgrading to |
|
Saw this issue on |
|
Seeing same in 1.0.2 |
Below findings are incorrectHere is my observation. Please let me know if this is incorrect: Karpenter does not provide a ca-client bundle as we can see from here. When I look at the CRD in my cluster, I can see that it has been injected with a caBundle: I believe this is happening through ca-injector. So this means, that client config for this webhook has a ca-bundle specified but karpenter uses knative to inject certificate data into So this means that CA for CRD & Webhooks do not match and hence the error. If this is correct, then may be we can look at the possible solutions I am still not sure how CA bundle is injected in CRD and I did see at one point that the CA bundle in secret vs CRD was different. |
|
This appears to be the same issue we saw with the our defaulting / validating webhooks previously, the original issue was closed out when those webhooks were disabled by default: kubernetes-sigs/karpenter#718. I've been able to reproduce, and as with that issues there does not appear to be any actual impact to Karpenter's operation and the errors can be safely ignored. From the original issue:
@liafizan are you still running into this? The cert is injected by knative, and I've been unable to reproduce. If you're still encountering this, I'd recommend opening a separate issue. I don't think it's related to the TLS errors we're seeing here.
I'm going to mark this issue as solved for now, but let us know if any of you believe this issue is impacting Karpenter's ability to operate. |
jmdeal
added
triage/solved
|
Hello @jmdeal, After upgrading to minor 0.37.5 to enable the deleting of webhooks when deployed with ArgoCD I see two things:
|
This doesn't indicate any issue with the conversion webhook. If you're on any pre-1.0 version with the conversion webhooks, the storage version is still v1beta1. The conversion webhooks only exist on those versions to enable rollback from v1.0. Also, once you upgrade to v1, both versions will still be present on the CRD, one isn't automatically removed once all stored resources are converted. Instead, you want to look at |
|
@jmdeal thank you for your answer, I misunderstood the conversion webhook and thought is was the other way around, thanks for the clarification ! |
|
We are seeing this same behavior. Upgrade from 0.37.0 to 1.0.3 (with a minor upgrade to 0.37.3 during the upgrade process). The error seems to be innocuous, but I wanted to see if there was any impact to the core functionality of Karpenter. |
|
I have done the upgrade from 0.37.5 to 1.0.6 and still see this issue. I have enabled webhook in 0.37.5 and this error is from karpenter 1.0.6 |
|
+1 |
|
I think this issue is caused by the conversion webhook configured on the CRDs (I have had a hard time with these already with #6818). transforms: [
({ props, opts, type }) => {
if (type === "kubernetes:apiextensions.k8s.io/v1:CustomResourceDefinition") {
// Disable Karpenter conversion webhooks which was only useful when upgrading to v1 and now causes errors
props.spec.conversion = undefined;
return { props, opts };
}
return undefined;
}
] |
|
hi, I did the karpenter version upgrade from v0.33.10 to v1.0.3 following the upgrade guide, https://karpenter.sh/docs/upgrading/v1-migration/#upgrade-procedure, i was able to ignore the errors by disabling the webhook by setting following the discussions in threads, i believe these webhooks are necessary to migrate the api from v1beta1 to v1 in future release. can someone comment on this. |
|
This issue has been inactive for 7 days and is marked as "triage/solved". StaleBot will close this stale issue after 7 more days of inactivity. |
|
I would like to hear clarifications about this from developers. I still don't understand for what webhooks is used for and if I need to keep them enabled in latest version of karpenter. |
|
This issue has been inactive for 7 days and is marked as "triage/solved". StaleBot will close this stale issue after 7 more days of inactivity. |
|
One of the things I notice is that if we run a single replica of Karpenter, this error goes away. Not a recommendation, but reporting an observation if it helps the investigation. |
|
This issue has been inactive for 7 days and is marked as "triage/solved". StaleBot will close this stale issue after 7 more days of inactivity. |
|
I hope this error will be gone with update to 1.1, which should support only v1 API. |
|
This issue has been inactive for 7 days and is marked as "triage/solved". StaleBot will close this stale issue after 7 more days of inactivity. |
|
devs dead or why they are not responding? what are these webhooks, is disabling them safe? |
|
Issue exists after upgrading to Karpenter v1.1.1 , it is quite misleading and pollutes our logs. Do you'l recommend to turn off the webhook?
|
Description
Observed Behavior:
Expected Behavior:
No errors :)
Reproduction Steps (Please include YAML):
Karpenter on fargate in karpenter namespace.
These messages started to appear after upgrading to 1.0.1
Versions:
kubectl version): 1.30The text was updated successfully, but these errors were encountered: