Timeout when validating admission webhook unreachable #896
Comments
|
Hi, I would like to be sure that the problem does not come from the validation webhook which is supposed to do some sanity check on the request. Please could you:
And then try again ? Thank you |
|
After deleting it, the resource was created successfully. Here is the yaml, maybe it can help with debugging: apiVersion: v1
items:
- apiVersion: admissionregistration.k8s.io/v1beta1
kind: ValidatingWebhookConfiguration
metadata:
creationTimestamp: 2019-05-21T06:29:29Z
generation: 1
name: validating-webhook-configuration
resourceVersion: "416167"
selfLink: /apis/admissionregistration.k8s.io/v1beta1/validatingwebhookconfigurations/validating-webhook-configuration
uid: c9db79f4-7b91-11e9-8da9-0271e0db6b8e
webhooks:
- clientConfig:
caBundle: SENSITIVE
service:
name: elastic-webhook-service
namespace: elastic-system
path: /validate-elasticsearches
failurePolicy: Fail
name: validation.elasticsearch.elastic.co
namespaceSelector:
matchExpressions:
- key: control-plane
operator: DoesNotExist
rules:
- apiGroups:
- elasticsearch.k8s.elastic.co
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- elasticsearches
sideEffects: Unknown
- clientConfig:
caBundle: SENSITIVE
service:
name: elastic-webhook-service
namespace: elastic-system
path: /validate-enterpriselicenses
failurePolicy: Fail
name: validation.license.elastic.co
namespaceSelector:
matchExpressions:
- key: control-plane
operator: DoesNotExist
rules:
- apiGroups:
- elasticsearch.k8s.elastic.co
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- enterpriselicenses
sideEffects: Unknown
kind: List
metadata:
resourceVersion: ""
selfLink: "" |
|
Fyi I just tried this again on a new cluster, same issues. Here are the startup logs: Deleting the |
|
Thanks for the update. I'm investigating an issue that seems to be specific to the Amazon environment. |
|
The webhook can be disabled permanently by specifying |
|
Also seen this issue running in GKE. Removing the ValidatingWebhookConfiguration allowed me to apply the demo Elasticsearch yaml. Happy to help if you need any diagnostics. |
trotro
added a commit
to trotro/cloud-on-k8s
that referenced
this issue
Jun 21, 2019
Replacing ```all``` by ```global,namespace``` in the operator stateful set spec solves the issue elastic#896
|
Sorry for this late answer. I did some successful tests on Amazon EKS.
It is described as a "Recommended inbound traffic" by Amazon and it could cause this kind of issue by preventing communication from the control plane to the HTTPS server which implements the Validating Webhook. |
|
I had the same issue, and opening the port 443 from the control plane to the worker nodes solved it. |
sebgl
added a commit
to sebgl/cloud-on-k8s
that referenced
this issue
Jul 8, 2019
EKS users must explicitly enable communication from the k8s control plane and nodes port 443 in order for the control plane to reach the validating webhook. Should help with elastic#896.
sebgl
added a commit
that referenced
this issue
Jul 9, 2019
EKS users must explicitly enable communication from the k8s control plane and nodes port 443 in order for the control plane to reach the validating webhook. Should help with #896.
|
Closing this as a solution has been identified. Please reopen if needed. |
sebgl
added a commit
that referenced
this issue
Jul 12, 2019
* Support for APM server configuration (#1181) * Add a config section to the APM server configuration * APM: Add support for keystore * Factorize ElasticsearchAuthSettings * Update dev setup doc + fix GKE bootstrap script (#1203) * Update dev setup doc + fix GKE bootstrap script * Update wording of container registry authentication * Ensure disks removal after removing cluster in GKE (#1163) * Update gke-cluster.sh * Implement cleanup for unused disks in GCP * Update Makefile * Update CI jobs to do proper cleanup * Normalize the raw config when creating canonical configs (#1208) This aims at counteracting the difference between JSON centric serialization and the use of YAML as the serialization format in canonical config. If not normalizing numeric values like 1 will differ when comparing configs as JSON deserializes integer numbers to float64 and YAML to uint64. * Homogenize logs (#1168) * Don't run tests if only docs are changed (#1216) * Update Jenkinsfile * Simplify notOnlyDocs() * Update Jenkinsfile * Push snapshot ECK release on successful PR build (#1184) * Update makefile's to support snapshots * Add snapshot releases to Jenkins pipelines * Cleanup * Rename RELEASE to USE_ELASTIC_DOCKER_REGISTRY * Update Jenkinsfile * Add a note on EKS inbound traffic & validating webhook (#1211) EKS users must explicitly enable communication from the k8s control plane and nodes port 443 in order for the control plane to reach the validating webhook. Should help with #896. * Update PodSpec with Hostname from PVC when re-using (#1204) * Bind the Debug HTTP server to localhost by default (#1220) * Run e2e tests against custom Docker image (#1135) * Add implementation * Update makefile's * Update Makefile * Rename Jenkisnfile * Fix review comments * Update e2e-custom.yml * Update e2e-custom.yml * Return deploy-all-in-one to normal * Delete GKE cluster only if changes not in docs (#1223) * Add operator version to resources (#1224) * Warn if unsupported distribution (#1228) The operator only works with the official ES distributions to enable the security available with the basic (free), gold and platinum licenses in order to ensure that all clusters launched are secured by default. A check is done in the prepare-fs script by looking at the existence of the Elastic License. If not present, the script exit with a custom exit code. Then the ES reconcilation loop sends an event of type warning if it detects that a prepare-fs init container terminated with this exit code. * Document Elasticsearch update strategy change budget & groups (#1210) Add documentation for the `updateStrategy` section of the Elasticsearch spec. It documents how (and why) `changeBudget` and `groups` are used by ECK, and how both settings can be specified by the user.
|
Just chiming in to say I experienced this only when attempting to add automated snapshots. When attempting to add the secureSettings to elasticsearch. The error was: Following the above advice of deleting the |
|
Hi, I saw that this issue was referenced in the documentation and I just want to dump how and why I got it and how we solved it to help other people.
You can find more info here: |
thbkrkr
changed the title
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Bug Report
What did you do?
Follow your Quickstart guide: https://www.elastic.co/guide/en/cloud-on-k8s/current/index.html
During the second step when applying the
Elasticsearchresource definition, a timeout occurs and the resource is never created:What did you expect to see?
Creation of the
ElasticsearchresourceWhat did you see instead? Under which circumstances?
Timeout, always.
Environment
eck 0.8.0
Running on EKS
No relevant logs in operator, last message was:
The text was updated successfully, but these errors were encountered: