Error: failed to start patch cert loop mutatingwebhookconfigurations.admissionregistration.k8s.io "istio-sidecar-injector" not found

9/26/2019

Getting "istio-sidecar-injector" not found error on installing istio from helm chart.

NAME                                      READY     STATUS             RESTARTS   AGE
certmanager-b8dc8f99c-bw52l               1/1       Running            0          2m
istio-citadel-5cf47dbf7c-2brk9            1/1       Running            0          2m
istio-galley-7898b587db-n44z9             1/1       Running            0          2m
istio-ingressgateway-5d88688454-wrxsr     2/2       Running            0          2m
istio-init-crd-10-5rkt6                   0/1       Completed          0          2m
istio-init-crd-11-pg447                   0/1       Completed          0          2m
istio-init-crd-12-mxrhz                   0/1       Completed          0          2m
istio-pilot-57b48b77bf-nbjtv              2/2       Running            0          2m
istio-policy-769664fcf7-59v2n             2/2       Running            0          2m
istio-sidecar-injector-677bd5ccc5-ckql5   0/1       CrashLoopBackOff   4          2m
istio-telemetry-f5798dbb7-z6dvz           2/2       Running            1          2m
prometheus-776fdf7479-psrf5               1/1       Running            0          2m

Describe Pod:

Name:               istio-sidecar-injector-677bd5ccc5-v4shl
Namespace:          istio-system
Priority:           0
PriorityClassName:  <none>
Node:               aks-agentpool-17141372-2/10.240.0.66
Start Time:         Thu, 26 Sep 2019 14:53:55 -0400
Labels:             app=sidecarInjectorWebhook
            chart=sidecarInjectorWebhook
            heritage=Tiller
            istio=sidecar-injector
            pod-template-hash=677bd5ccc5
            release=istio
Annotations:        sidecar.istio.io/inject=false
Status:             Running
IP:                 10.240.0.93
Controlled By:      ReplicaSet/istio-sidecar-injector-677bd5ccc5
Containers:
  sidecar-injector-webhook:
    Container ID:  docker://e5c96af389797e7a0488cf0dac180ff3494fe8602c2cd7a50080e8a848be207a
    Image:         docker.io/istio/sidecar_injector:1.2.5
    Image ID:      docker-pullable://istio/sidecar_injector@sha256:6c281139337df6e2f96f3d883e5dc2a75cb6234986ae4f1cd3f9f324112b46eb
    Port:          <none>
    Host Port:     <none>
    Args:
      --caCertFile=/etc/istio/certs/root-cert.pem
      --tlsCertFile=/etc/istio/certs/cert-chain.pem
      --tlsKeyFile=/etc/istio/certs/key.pem
      --injectConfig=/etc/istio/inject/config
      --meshConfig=/etc/istio/config/mesh
      --healthCheckInterval=2s
      --healthCheckFile=/health
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    255
      Started:      Thu, 26 Sep 2019 14:55:32 -0400
      Finished:     Thu, 26 Sep 2019 14:55:32 -0400
    Ready:          False
    Restart Count:  4
    Requests:
      cpu:        10m
    Liveness:     exec [/usr/local/bin/sidecar-injector probe --probe-path=/health --interval=4s] delay=4s timeout=1s period=4s #success=1 #failure=3
    Readiness:    exec [/usr/local/bin/sidecar-injector probe --probe-path=/health --interval=4s] delay=4s timeout=1s period=4s #success=1 #failure=3
    Environment:  <none>
    Mounts:
      /etc/istio/certs from certs (ro)
      /etc/istio/config from config-volume (ro)
      /etc/istio/inject from inject-config (ro)
      /var/run/secrets/kubernetes.io/serviceaccount from istio-sidecar-injector-service-account-token-nxc4z (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             False
  ContainersReady   False
  PodScheduled      True
Volumes:
  config-volume:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      istio
    Optional:  false
  certs:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  istio.istio-sidecar-injector-service-account
    Optional:    false
  inject-config:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      istio-sidecar-injector
    Optional:  false
  istio-sidecar-injector-service-account-token-nxc4z:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  istio-sidecar-injector-service-account-token-nxc4z
    Optional:    false
QoS Class:       Burstable
Node-Selectors:  <none>
Tolerations:     node.kubernetes.io/not-ready:NoExecute for 300s
         node.kubernetes.io/unreachable:NoExecute for 300s
Events:
  Type     Reason     Age               From                               Message
  ----     ------     ----              ----                               -------
  Normal   Scheduled  2m                default-scheduler                  Successfully assigned istio-system/istio-sidecar-injector-677bd5ccc5-v4shl to aks-agentpool-17141372-2
  Warning  BackOff    1m (x10 over 2m)  kubelet, aks-agentpool-17141372-2  Back-off restarting failed container
  Normal   Pulled     1m (x5 over 2m)   kubelet, aks-agentpool-17141372-2  Container image "docker.io/istio/sidecar_injector:1.2.5" already present on machine
  Normal   Created    1m (x5 over 2m)   kubelet, aks-agentpool-17141372-2  Created container sidecar-injector-webhook
  Normal   Started    1m (x5 over 2m)   kubelet, aks-agentpool-17141372-2  Started container sidecar-injector-webhook

istio version: v1.2.5

How was Istio installed?: Helm chart

Logs:

Error: failed to start patch cert loop mutatingwebhookconfigurations.admissionregistration.k8s.io "istio-sidecar-injector" not found

I don't know what's causing above error.

-- Ronak Patel
azure-aks
istio
kubernetes
kubernetes-helm

1 Answer

9/27/2019

CrashLoopBackOff state means that the pod is starting and crashing in loop.

So, try to investigate logs of istio-sidecar-injector-677bd5ccc5-ckql5 pod

Issue #6553

Also, try these tips from Issue #6553: istio- Sidecar injector fails to start - CrashLoopBackOff:

About sidecar-injector

Kubernetes webhook for automatic Istio sidecar injection.

-- Yasen
Source: StackOverflow