K
Q

How Can I Debug apiserver Startup When No Logs Are Generated?

7/20/2020

I am trying to install the aws-encryption-provider following the steps at https://github.com/kubernetes-sigs/aws-encryption-provider. After I added the --encryption-provider-config=/etc/kubernetes/aws-encryption-provider-config.yaml parameter to /etc/kubernetes/manifests/kube-apiserver.yaml the apiserver process did not restart. Nor do I see any error messages.

What technique can I use to see errors created when apiserver starts?

-- David Medinets
kubernetes

Similar Questions

Getting an error when trying to create a persistent volume
command terminated with exit code 1 when executing aws s3 cp in Jenkins Declarative Pipeline
Change flags to kubernetes api-server running inside Docker for Mac
Kubernetes Java Client API Exception
How to communicate between services in Kubernetes in a secure way

1 Answer

7/20/2020

Realizing that the apiserver is running inside a docker container, I connected to one of my controller nodes using SSH. Then I started a container using the following command to get a shell prompt using the same docker image that apiserver is using.

docker run \
  -it \
  --rm \
  --entrypoint /bin/sh \
  --volume /etc/kubernetes:/etc/kubernetes:ro \
  --volume /etc/ssl/certs:/etc/ssl/certs:ro \
  --volume /etc/pki:/etc/pki:ro \
  --volume /etc/pki/ca-trust:/etc/pki/ca-trust:ro \
  --volume /etc/pki/tls:/etc/pki/tls:ro \
  --volume /etc/ssl/etcd/ssl:/etc/ssl/etcd/ssl:ro \
  --volume /etc/kubernetes/ssl:/etc/kubernetes/ssl:ro \
  --volume /var/run/kmsplugin:/var/run/kmsplugin \
  k8s.gcr.io/kube-apiserver:v1.18.5

Once inside that container, I could run the same command that is setup in kube-apiserver.yaml. This command was:

kube-apiserver \
    --encryption-provider-config=/etc/kubernetes/aws-encryption-provider-config.yaml \
    --advertise-address=10.250.203.201 \
    ...
    --service-node-port-range=30000-32767 \
    --storage-backend=etcd3 \

I elided the bulk of the command since you'll need to get specific values from your own kube-apiserver.yaml file.

Using this technique showed me the error message:

Error: error while parsing encryption provider configuration file 
"/etc/kubernetes/aws-encryption-provider-config.yaml": error while parsing 
file: resources[0].providers[0]: Invalid value: 
config.ProviderConfiguration{AESGCM:(*config.AESConfiguration)(nil), 
AESCBC:(*config.AESConfiguration)(nil), Secretbox:(*config.SecretboxConfiguration)
(nil), Identity:(*config.IdentityConfiguration)(nil), KMS:(*config.KMSConfiguration)
(nil)}: provider does not contain any of the expected providers: KMS, AESGCM, 
AESCBC, Secretbox, Identity
-- David Medinets
Source: StackOverflow