Skip to content

Upgrade fails on application of CRs from 0.7.1 to 0.8 #5633

Closed
Closed
Upgrade fails on application of CRs from 0.7.1 to 0.8#5633
Assignees
sdake
Labels
area/environments
@sdake

Description

@sdake
sdake
opened on May 16, 2018

to reproduce (kubernetes 1.10.2 + metallb 0.3.1 configured with /31 network on baremetal):

curl -L https://github.com/istio/istio/releases/download/0.7.1/istio-0.7.1-linux.tar.gz > istio-0.7.1.tar.gz
tar -xzvf istio-0.7.1.tar.gz
cd istio-0.7.1
sudo cp bin/istioctl /usr/bin
kubectl apply -f install/kubernetes/istio.yaml
istioctl kube-inject -f samples/bookinfo/kube/bookinfo.yaml > bi.yaml
kubectl apply -f bi.yaml
cd ..
cd istio-release-0.8-20180515-17-26
kubectl apply -f install/kubernetes/istio.yaml

Results:
mixer-create-crd job fails spews bunch of failures:

sdake@falkor-07:~/istio-release-0.8-20180515-17-26$ kubectl get pods -n istio-system
NAME                                       READY     STATUS    RESTARTS   AGE
istio-ca-75fb7dc8d5-j6f9p                  1/1       Running   0          22m
istio-citadel-7f6fb4c4fd-xjskl             1/1       Running   0          17m
istio-egressgateway-7895494878-pj8d9       1/1       Running   0          17m
istio-ingress-975dff44d-rgp7l              1/1       Running   0          17m
istio-ingressgateway-7d4b79cb7b-wtsvv      1/1       Running   0          17m
istio-mixer-859796c6bf-vg2vx               3/3       Running   0          22m
istio-mixer-create-cr-24kgs                0/1       Error     0          5m
istio-mixer-create-cr-26h6m                0/1       Error     0          4m
istio-mixer-create-cr-28vg5                0/1       Error     0          14m
istio-mixer-create-cr-2gpjw                0/1       Error     0          10m
istio-mixer-create-cr-2q4cd                0/1       Error     0          13m
istio-mixer-create-cr-4f6kw                0/1       Error     0          9m

inspecting one of these shows:

2018-05-16 12:03:07.354867 I | proto: duplicate proto type registered: google.protobuf.Any
2018-05-16 12:03:07.354965 I | proto: duplicate proto type registered: google.protobuf.Duration
2018-05-16 12:03:07.354981 I | proto: duplicate proto type registered: google.protobuf.Timestamp
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"config.istio.io/v1alpha2\",\"kind\":\"attributemanifest\",\"metadata\":{\"annotations\":{},\"name\":\"istioproxy\",\"namespace\":\"istio-system\"},\"spec\":{\"attributes\":{\"api.operation\":{\"valueType\":\"STRING\"},\"api.protocol\":{\"valueType\":\"STRING\"},\"api.service\":{\"valueType\":\"STRING\"},\"api.version\":{\"valueType\":\"STRING\"},\"connection.duration\":{\"valueType\":\"DURATION\"},\"connection.id\":{\"valueType\":\"STRING\"},\"connection.mtls\":{\"valueType\":\"BOOL\"},\"connection.received.bytes\":{\"valueType\":\"INT64\"},\"connection.received.bytes_total\":{\"valueType\":\"INT64\"},\"connection.sent.bytes\":{\"valueType\":\"INT64\"},\"connection.sent.bytes_total\":{\"valueType\":\"INT64\"},\"context.protocol\":{\"valueType\":\"STRING\"},\"context.time\":{\"valueType\":\"TIMESTAMP\"},\"context.timestamp\":{\"valueType\":\"TIMESTAMP\"},\"destination.uid\":{\"valueType\":\"STRING\"},\"origin.ip\":{\"valueType\":\"IP_ADDRESS\"},\"origin.uid\":{\"valueType\":\"STRING\"},\"origin.user\":{\"valueType\":\"STRING\"},\"request.api_key\":{\"valueType\":\"STRING\"},\"request.auth.audiences\":{\"valueType\":\"STRING\"},\"request.auth.claims\":{\"valueType\":\"STRING_MAP\"},\"request.auth.presenter\":{\"valueType\":\"STRING\"},\"request.auth.principal\":{\"valueType\":\"STRING\"},\"request.headers\":{\"valueType\":\"STRING_MAP\"},\"request.host\":{\"valueType\":\"STRING\"},\"request.id\":{\"valueType\":\"STRING\"},\"request.method\":{\"valueType\":\"STRING\"},\"request.path\":{\"valueType\":\"STRING\"},\"request.reason\":{\"valueType\":\"STRING\"},\"request.referer\":{\"valueType\":\"STRING\"},\"request.scheme\":{\"valueType\":\"STRING\"},\"request.size\":{\"valueType\":\"INT64\"},\"request.time\":{\"valueType\":\"TIMESTAMP\"},\"request.useragent\":{\"valueType\":\"STRING\"},\"response.code\":{\"valueType\":\"INT64\"},\"response.duration\":{\"valueType\":\"DURATION\"},\"response.headers\":{\"valueType\":\"STRING_MAP\"},\"response.size\":{\"valueType\":\"INT64\"},\"response.time\":{\"valueType\":\"TIMESTAMP\"},\"source.uid\":{\"valueType\":\"STRING\"},\"source.user\":{\"valueType\":\"STRING\"}}}}\n"}},"spec":{"attributes":{"request.auth.claims":{"valueType":"STRING_MAP"}}}}
to:
&{0xc4200b26c0 0xc420ab5dc0 istio-system istioproxy /tmp/mixer/custom-resources.yaml 0xc4205f86b8 0xc4205164e8 739 false}
for: "/tmp/mixer/custom-resources.yaml": attributemanifests.config.istio.io "istioproxy" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch attributemanifests.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc420814180 0xc420ab53b0 istio-system kubernetes /tmp/mixer/custom-resources.yaml 0xc42000e2d8 0xc42000e578 740 false}
for: "/tmp/mixer/custom-resources.yaml": attributemanifests.config.istio.io "kubernetes" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch attributemanifests.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc420704480 0xc420a5e5b0 istio-system handler /tmp/mixer/custom-resources.yaml 0xc4205160b8 0xc42000e7c0 741 false}
for: "/tmp/mixer/custom-resources.yaml": stdios.config.istio.io "handler" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch stdios.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc4200b2900 0xc4211c1030 istio-system accesslog /tmp/mixer/custom-resources.yaml 0xc4205f8408 0xc4205f8610 742 false}
for: "/tmp/mixer/custom-resources.yaml": logentries.config.istio.io "accesslog" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch logentries.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc420814480 0xc420a84e70 istio-system stdio /tmp/mixer/custom-resources.yaml 0xc42000e9f0 0xc420516308 743 false}
for: "/tmp/mixer/custom-resources.yaml": rules.config.istio.io "stdio" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch rules.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc4208146c0 0xc420a85f10 istio-system requestcount /tmp/mixer/custom-resources.yaml 0xc42000ebf8 0xc42000ed98 744 false}
for: "/tmp/mixer/custom-resources.yaml": metrics.config.istio.io "requestcount" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch metrics.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc4200b2cc0 0xc420a46a80 istio-system requestduration /tmp/mixer/custom-resources.yaml 0xc4205f88a8 0xc4205f8a48 746 false}
for: "/tmp/mixer/custom-resources.yaml": metrics.config.istio.io "requestduration" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch metrics.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc420704a80 0xc420a5fdc0 istio-system requestsize /tmp/mixer/custom-resources.yaml 0xc420516630 0xc4205f8c10 747 false}
for: "/tmp/mixer/custom-resources.yaml": metrics.config.istio.io "requestsize" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch metrics.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc420814b40 0xc420a55dc0 istio-system responsesize /tmp/mixer/custom-resources.yaml 0xc42000eff8 0xc42000f198 748 false}
for: "/tmp/mixer/custom-resources.yaml": metrics.config.istio.io "responsesize" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch metrics.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc420705440 0xc420824fc0 istio-system tcpbytesent /tmp/mixer/custom-resources.yaml 0xc4205168c8 0xc42000f360 749 false}
for: "/tmp/mixer/custom-resources.yaml": metrics.config.istio.io "tcpbytesent" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch metrics.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc420705c80 0xc420320540 istio-system tcpbytereceived /tmp/mixer/custom-resources.yaml 0xc420516b18 0xc420516cc8 750 false}
for: "/tmp/mixer/custom-resources.yaml": metrics.config.istio.io "tcpbytereceived" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch metrics.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc420814f00 0xc420414700 istio-system handler /tmp/mixer/custom-resources.yaml 0xc42000f898 0xc42000ff38 751 false}
for: "/tmp/mixer/custom-resources.yaml": prometheuses.config.istio.io "handler" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch prometheuses.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"config.istio.io/v1alpha2\",\"kind\":\"rule\",\"metadata\":{\"annotations\":{},\"labels\":{\"istio-protocol\":\"http\"},\"name\":\"promhttp\",\"namespace\":\"istio-system\"},\"spec\":{\"actions\":[{\"handler\":\"handler.prometheus\",\"instances\":[\"requestcount.metric\",\"requestduration.metric\",\"requestsize.metric\",\"responsesize.metric\"]}]}}\n"},"labels":{"istio-protocol":"http"}},"spec":{"match":null}}
to:
&{0xc420815080 0xc42032b340 istio-system promhttp /tmp/mixer/custom-resources.yaml 0xc4200ba450 0xc4200ba600 752 false}
for: "/tmp/mixer/custom-resources.yaml": rules.config.istio.io "promhttp" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch rules.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"config.istio.io/v1alpha2\",\"kind\":\"rule\",\"metadata\":{\"annotations\":{},\"labels\":{\"istio-protocol\":\"tcp\"},\"name\":\"promtcp\",\"namespace\":\"istio-system\"},\"spec\":{\"actions\":[{\"handler\":\"handler.prometheus\",\"instances\":[\"tcpbytesent.metric\",\"tcpbytereceived.metric\"]}]}}\n"}},"spec":{"match":null}}
to:
&{0xc420815680 0xc42007a3f0 istio-system promtcp /tmp/mixer/custom-resources.yaml 0xc4200ba920 0xc420516e98 753 false}
for: "/tmp/mixer/custom-resources.yaml": rules.config.istio.io "promtcp" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch rules.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc4208158c0 0xc420274070 istio-system handler /tmp/mixer/custom-resources.yaml 0xc4200baaf8 0xc4205170c8 754 false}
for: "/tmp/mixer/custom-resources.yaml": kubernetesenvs.config.istio.io "handler" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch kubernetesenvs.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc4200b2f00 0xc42032f500 istio-system kubeattrgenrulerule /tmp/mixer/custom-resources.yaml 0xc4205f8e60 0xc4200babf8 755 false}
for: "/tmp/mixer/custom-resources.yaml": rules.config.istio.io "kubeattrgenrulerule" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch rules.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{"kubectl.kubernetes.io/last-applied-configuration":"{\"apiVersion\":\"config.istio.io/v1alpha2\",\"kind\":\"rule\",\"metadata\":{\"annotations\":{},\"name\":\"tcpkubeattrgenrulerule\",\"namespace\":\"istio-system\"},\"spec\":{\"actions\":[{\"handler\":\"handler.kubernetesenv\",\"instances\":[\"attributes.kubernetes\"]}],\"match\":\"context.protocol == \\\"tcp\\\"\"}}\n"},"labels":null}}
to:
&{0xc4200b3080 0xc42039b1f0 istio-system tcpkubeattrgenrulerule /tmp/mixer/custom-resources.yaml 0xc4205f9050 0xc4205f91c0 756 false}
for: "/tmp/mixer/custom-resources.yaml": rules.config.istio.io "tcpkubeattrgenrulerule" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch rules.config.istio.io in the namespace "istio-system"
Error from server (Forbidden): error when applying patch:
{"metadata":{"annotations":{}}}
to:
&{0xc420815a40 0xc420a4d110 istio-system attributes /tmp/mixer/custom-resources.yaml 0xc4200bae70 0xc4200bb080 757 false}
for: "/tmp/mixer/custom-resources.yaml": kuberneteses.config.istio.io "attributes" is forbidden: User "system:serviceaccount:istio-system:istio-mixer-service-account" cannot patch kuberneteses.config.istio.io in the namespace "istio-system"```

Metadata

Metadata

Assignees

Labels

area/environments

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions