Pod add/delete operations result in "error getting ClusterInformation: connection is unauthorized: Unauthorized" #9428
Comments
I've seen other instances of this caused by:
I think the generic "connection is unauthorized: Unauthorized" error message typically means something more fundamental is wrong with the system, rather than say using an expired token or having inadequate RBAC, both of which would result in a more specialized error message. |
|
Hey @caseydavenport thanks for the response. In this system we are using NTP. Looking around the time the system started reporting the "connection is unauthorized: Unauthorized" I can see the following NTPQ info: ================================================================================== Sorry if this formatting is bad, but we do see a spike around -4.262 milliseconds offset around where the problem happens. But looking at the rest of the logs, it doesn't seem like this is an abberation from the whole. As well, this particular one is to an external NTP server via 6to4. I guess it's just a mystery to me why if we restart the calico-node pod (and in other workarounds with this similar issue) that things resolve themselves. |
|
Sounds unlikely to be time mismatch then. hard to say what else it might be - I'd probably recommend that next time this happens, take a look at the Kubernetes apiserver logs to see if it can provide an explanation for why it is rejecting the requests as Unauthorized - sometimes there is additional context in those logs. |
OS: Linux kernel v. 6.6.0-1
Kubernetes version v1.29.2
Calico version v3.28.0
Hello, I understand this issue has been raised/closed before with a potential solution in #5910. We should have this commit in our Calico 3.28.0, but have recently experienced the "connection is unauthorized: Unauthorized" in a couple of systems. The workaround as others have mentioned in other bug reports seems to be to simply restart the calico-node pod. These systems have been re-installed as well, with no re-occurance of the particular message. We retain logs from the affected / problematic systems however, which may help.
Looking at the calico-node logs, there doesn't seem to be any issue reported by the 'token watch' facility, with updates/writes of the kubeconfig file always seeming to be successful. eg:
2024-10-19T20:50:00.035673627Z stdout F 2024-10-19 20:50:00.035 [INFO][81] cni-config-monitor/token_watch.go 226: Update of CNI kubeconfig triggered based on elapsed time.
2024-10-19T20:50:00.035909968Z stdout F 2024-10-19 20:50:00.035 [INFO][81] cni-config-monitor/token_watch.go 281: Wrote updated CNI kubeconfig file. path="/host/etc/cni/net.d/calico-kubeconfig"
Expected Behavior
Ability to start/stop pods.
Current Behavior
Here's an example of what one of the error messages looks like when trying to start a pod:
2024-10-22T22:30:01.648 controller-0 kubelet[13782]: info I1022 22:30:01.648705 13782 util.go:30] "No sandbox for pod can be found. Need to start a new one" pod="kube-system/ceph-pools-audit-28827270-65l9h"
2024-10-22T22:30:02.145 controller-0 kubelet[13782]: info E1022 22:30:02.145259 13782 remote_runtime.go:193] "RunPodSandbox from runtime service failed" err="rpc error: code = Unknown desc = failed to setup network for sandbox "50242a9d9cc28594d0ef9190046f0fef6ab17a977ec922c25d28fc59f2a352b1": plugin type="multus" name="multus-cni-network" failed (add): [kube-system/ceph-pools-audit-28827270-65l9h/21fbd5d4-046f-46fe-8d40-4b7b52f5daab:chain]: error adding container to network "chain": error getting ClusterInformation: connection is unauthorized: Unauthorized"
Possible Solution
Killing/restarting the calico-node pod resolves things.
Steps to Reproduce (for bugs)
Unfortunately I don't have a reliable way to reproduce this.
The text was updated successfully, but these errors were encountered: