k8s-bigip-ctlr icon indicating copy to clipboard operation
k8s-bigip-ctlr copied to clipboard
verified publisher icon F5Networks

Repeated error in CIS container logs: Service default/k8s-sigs.io-nfs-subdir-external-provisioner doesn't exist

Open s-archer opened this issue 3 years ago • 6 comments

Setup Details

CIS Version : 2.7.1
Build: f5networks/k8s-bigip-ctlr:latest
BIGIP Version: Big IP 16.0.1
AS3 Version: 3.x
Agent Mode: AS3 Orchestration: K8S
Orchestration Version:
Pool Mode: Cluster
Additional Setup details: two node cluster, kvm, flannel, big-ip with vxlan tunnel

Description

Repeated error in CIS container logs, not sure if this is just cosmetic:

2022/01/25 19:44:57 [INFO] Service default/k8s-sigs.io-nfs-subdir-external-provisioner doesn't exist

I suspect this is the result of a typo as my NFS provisioner is correctly named as follows (and as documented here):

- name: PROVISIONER_NAME 
  value: k8s-sigs.io/nfs-subdir-external-provisioner

Note the difference of hyphen (-) vs slash (/):

...k8s-sigs.io-nfs-subdir...
...k8s-sigs.io/nfs-subdir...

I also see the following messages repeatedly:

2022/01/25 19:51:54 [ERROR] Error reporting telemetry data :telemetry request to teem server failed with:
            {"errors":
                [
                    {"id":"rrt-3062028127224551505-b-gwo1-28115-17779227-1",
                    "code":"request-limit",
                    "code2":"",
                    "message":"Requests exceed the allowable amount"}

Steps To Reproduce

I'm not sure which elements of my configuration are relevant. I have deployed/redployed CIS with helm (see below) and consistently see the error.

  1. Deploy CIS with helm
bigip_login_secret: f5-bigip-ctlr-login
rbac:
  create: true
serviceAccount:
  create: true
  name:
ingressClass:
  create: true
  ingressClassName: f5
  defaultController: true
namespace: kube-system
args:
  bigip_url: 192.168.5.11
  bigip_partition: k8s
  flannel_name: flannel-vxlan
  default_ingress_ip: 192.168.1.12
  pool_member_type: cluster
  insecure: true
  custom-resource-mode: true
image:
  user: f5networks
  repo: k8s-bigip-ctlr
  pullPolicy: Always
version: latest

Feel free to contact me internally for more information.

Additional note:

After deploying helm chart, I had to manually edit the f5-cis-helm-f5-bigip-ctlr clusterrole to correct this

- apiGroups:
  - cis.f5.com
  resources:
  - virtualservers
  - tlsprofiles
  - transportservers
  - externaldnss  # typo here
  - ingresslinks
  - virtualservers/status
  - ingresslinks/status
                   # policies missing here

to this:

- apiGroups:
  - cis.f5.com
  resources:
  - virtualservers
  - tlsprofiles
  - transportservers
  - externaldnses
  - ingresslinks
  - virtualservers/status
  - ingresslinks/status
  - policies

s-archer avatar Jan 25 '22 21:01 s-archer

@s-archer The error reported is for TEEM issues. Ignore the errors. we are working to fix this in 2.8.

Created CONTCNTR-3108 for internal tracking.

trinaths avatar Jan 26 '22 06:01 trinaths

Thanks Trinath. Do you refer to both errors?

Service default/k8s-sigs.io-nfs-subdir-external-provisioner doesn't exist

and

Error reporting telemetry data :telemetry request to teem server failed with

?

s-archer avatar Jan 26 '22 08:01 s-archer

Please check that service in default namespace. Its an issue with resource monitored by CIS.

Service default/k8s-sigs.io-nfs-subdir-external-provisioner doesn't exist

trinaths avatar Jan 26 '22 09:01 trinaths

@s-archer any update on this issue ?

trinaths avatar Feb 02 '22 09:02 trinaths

def seeing this in my cis logs too AKS with 2.7.1

jmcalalang avatar Feb 03 '22 03:02 jmcalalang

@jmcalalang the errors are with service unavailable. I think CIS is processing all the services in the namespaces. Can you try namespace or namespace-label level filtering with CIS ? this would make CIS to only process those required resources.

trinaths avatar Feb 03 '22 07:02 trinaths

No changes to CIS. Closing this issue.

trinaths avatar Feb 02 '23 18:02 trinaths