Troubleshoot Kubernetes Engine
This document summarizes major issues and solutions related to the Kubernetes Engine service.
kubectl: Namespace is forbidden
Even after completing kubectl control settings, you may encounter the following error when using kubectl commands.
Error from server (Forbidden): namespaces is forbidden: User "poby.hyeon@kakaoenterprise.com" cannot list resource "namespaces" in API group "" at the cluster scope
This error occurs when the project selected during access key issuance does not match the project of the cluster you need to control.
▶️ When specifying the project during access key creation, ensure that it is the project containing the cluster to be controlled. For more details on Access key creation, refer to Get access key.
Kubelet: Nameserver limits exceeded
After creating a node pool in a Kubernetes Engine cluster, the following error appears in the kubelet log.
Nodes created through KakaoCloud's Kubernetes Engine can add up to three DNS nameserver records, and Kubernetes uses one DNS nameserver record.
If a node is already using three nameservers, a Nameserver limit exceeded
error will occur.
Jul 15 16:42:22 {Node-name} kubelet[6020]: E0715 16:42:22.417041 6020 dns.go:153] "Nameserver limits exceeded" err="Nameserver limits were exceeded, some nameservers have been omitted, the applied nameserver line is: ~ ~ ~"
▶️ Check if you added nameserver records to the resolv.conf
file through [Advanced Settings] > [User script] during node pool creation and adjust the number of nameserver records.
For more information on DNS server record limitations, please refer to the Kubernetes official guide.
kubectl: Please enter Username
Even after completing kubectl control settings, you may encounter the following error when using kubectl commands.
Please enter Username:
This error occurs when the cluster name set in contexts > context > cluster > user
does not match the name set in users > name
in the kubeconfig file.
▶️ Ensure that the cluster name set in contexts > context > cluster > user
matches the name set in users > name
.
kubectl: Unable to connect to the server
Even after completing kubectl control settings, you may encounter the following error when using kubectl commands.
Unable to connect to the server: getting credentials: exec: executable kic-iam-auth failed with exit code 1
User authentication uses the Access key information set in the kubeconfig file under users > user > exec > env
. The error occurs when this Access key information does not match.
▶️ Refer to User Authentication Settings to reset the user authentication.
CSI Provisioner deployment, pod
After completing the cinder-csi installation, the pod status is displayed as CrashLoopBackOff
, and the following error occurs.
E0123 07:54:11.985138 1 openstack.go:102] Failed to open OpenStack configuration file: open /etc/kubernetes/cloud.conf: no such file or directory
E0123 07:54:11.985145 1 openstack.go:144] GetConfigFromFiles [/etc/kubernetes/cloud.conf] failed with error: open /etc/kubernetes/cloud.conf: no such file or directory
This error occurs because necessary parameters were not added during the helm chart installation.
▶️ Reinstall cinder-csi by adding the required parameters during the helm installation process.
$ helm install cinder-csi cpo/openstack-cinder-csi \
--version 2.3.0 \
--set secret.enabled=true \ # Required parameter
--set secret.name=cloud-config \ # Required parameter
--namespace kube-system
helm: kubernetes cluster unreachable
After installing helm, when executing commands through the CLI, a "Kubernetes cluster unreachable" error occurs.
Kubernetes cluster unreachable: Get "http://localhost:8080/version": dial tcp [::1]:8080: connect: connection refused
Helm needs to register the information required to connect to the Kubernetes cluster, but the error occurs because it cannot find the kubeconfig file containing the cluster information.
▶️ The methods for registering the kubeconfig.yaml file as the $KUBECONFIG environment variable and using the --kubeconfig
option are as follows:
-
Register the
$KUBECONFIG
environment variable:export KUBECONFIG="{kubeconfig path}
-
Use the
--kubeconfig
option:$ helm --kubeconfig={Download_Path/kubeconfig.yaml} list
Istio: failed to call Webhook
This error occurs when network communication between the master and worker nodes is not established while configuring Istio on Kubernetes Engine.
Error creating: Internal error occurred: failed calling webhook "namespace.sidecar-injector.istio.io": failed to call webhook: Post "https://istiod.istio-system.svc:443/inject?timeout=10s": context deadline exceeded
Master nodes are not included in the container network, so communication with https://instiod/validate (validation webhook)
is not possible, leading to this error.
▶️ Add the hostNetwork: true
setting to istiod
to enable direct communication between the nodes.
Also, when using hostNetwork: true
, explicitly set dnsPolicy: ClusterFirstWithHostNet
.
$ kubectl edit deployment -n istio-system istiod
***
spec:
hostNetwork: true # 추가
dnsPolicy: ClusterFirstWithHostNet
containers:
***
dnsPolicy settings information
dnsPolicy: Default
Uses the settings in the node's '/etc/resolv.conf' file to handle DNS queries.dnsPolicy: ClusterFirst
All DNS queries that do not match the cluster domain suffix (e.g., '.cluster.local') are forwarded to upstream DNS servers by the DNS server.dnsPolicy: ClusterFirstWithHostNet
When usinghostNetwork: true
in a pod, you must explicitly setdnsPolicy: ClusterFirstWithHostNet
.
If a pod usinghostNetwork: true
is configured withdnsPolicy: ClusterFirst
, it will actually operate as if using thednsPolicy: Default
policy. This setting ensures that pods running in host network mode retain cluster DNS configurations.dnsPolicy: None
This policy allows the pod to ignore DNS settings in the Kubernetes environment.
It is used for pods that require custom DNS servers.
- For more information, refer to the Kubernetes Documentation.