I am trying to install Rancher on Kubernetes cluster that is provided to me by a third party. Please can someone help me with these errors that I am seeing? I am not sure if I am being stupid or if there is something weird in the way that the Kubernetes cluster has been set up.
In the rancher pods I see the following log lines:
2020/12/13 11:06:11 [INFO] Rancher version v2.5.3 (028c6dd04) is starting
2020/12/13 11:06:11 [INFO] Rancher arguments {ACMEDomains:[] AddLocal:true Embedded:false BindHost: HTTPListenPort:80 HTTPSListenPort:443 K8sMode:auto Debug:false Trace:false NoCACerts:true AuditLogPath:/var/log/auditlog/rancher-api-audit.log AuditLogMaxage:10 AuditLogMaxsize:100 AuditLogMaxbackup:10 AuditLevel:0 Agent:false Features:}
2020/12/13 11:06:11 [INFO] Listening on /tmp/log.sock
2020/12/13 11:06:11 [INFO] No access to list CRDs, assuming CRDs are pre-created.
2020/12/13 11:06:11 [ERROR] unable to retrieve feature multi-cluster-management in initialize features: features.management.cattle.io "multi-cluster-management" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature fleet in initialize features: features.management.cattle.io "fleet" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to create feature fleet in initialize features: features.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot create resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature unsupported-storage-drivers in initialize features: features.management.cattle.io "unsupported-storage-drivers" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to create feature unsupported-storage-drivers in initialize features: features.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot create resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature istio-virtual-service-ui in initialize features: features.management.cattle.io "istio-virtual-service-ui" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to create feature istio-virtual-service-ui in initialize features: features.management.cattle.io is forbidden: User "system:serviceaccount:default:rancher" cannot create resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [ERROR] unable to retrieve feature proxy in initialize features: features.management.cattle.io "proxy" is forbidden: User "system:serviceaccount:default:rancher" cannot get resource "features" in API group "management.cattle.io" at the cluster scope
2020/12/13 11:06:11 [FATAL] creating CRD store customresourcedefinitions.apiextensions.k8s.io is forbidden: User "system:serviceaccount:default:rancher" cannot list resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
I am installing rancher by templating the helm with the following:
helm template rancher rancher-latest/rancher --namespace cattle-system --set hostname=rancher.my.org --set tls=external
Which gives me the yaml below which I install with kubectl apply -f ...
Ta,
Andrew
---
# Source: rancher/templates/serviceAccount.yaml
kind: ServiceAccount
apiVersion: v1
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
---
# Source: rancher/templates/clusterRoleBinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
subjects:
- kind: ServiceAccount
name: rancher
namespace: cattle-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
---
# Source: rancher/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
- port: 443
targetPort: 444
protocol: TCP
name: https-internal
selector:
app: rancher
---
# Source: rancher/templates/deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
spec:
replicas: 3
selector:
matchLabels:
app: rancher
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: rancher
release: rancher
spec:
serviceAccountName: rancher
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- rancher
topologyKey: kubernetes.io/hostname
containers:
- image: rancher/rancher:v2.5.3
imagePullPolicy: IfNotPresent
name: rancher
ports:
- containerPort: 80
protocol: TCP
args:
# Public trusted CA - clear ca certs
- "--no-cacerts"
- "--http-listen-port=80"
- "--https-listen-port=443"
- "--add-local=true"
env:
- name: CATTLE_NAMESPACE
value: cattle-system
- name: CATTLE_PEER_SERVICE
value: rancher
livenessProbe:
httpGet:
path: /healthz
port: 80
initialDelaySeconds: 60
periodSeconds: 30
readinessProbe:
httpGet:
path: /healthz
port: 80
initialDelaySeconds: 5
periodSeconds: 30
resources:
{}
volumeMounts:
volumes:
---
# Source: rancher/templates/ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.5.3
heritage: Helm
release: rancher
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "false" # turn off ssl redirect for external.
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
spec:
rules:
- host: rancher.my.org # hostname to access rancher server
http:
paths:
- backend:
serviceName: rancher
servicePort: 80
I've reproduced your issue and in order to install rancher you have to install cert-manager or choose any other SSL configuration.
You can do it by following steps from linked documentation, if you choose to install cert-manager, you simply run:
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.crds.yaml
$ kubectl create namespace cert-manager
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--version v1.0.4
After that you can deploy yamls
shown in your question and Rancher will start-up correctly.
$ kubectl get pods -n cattle-system
rancher-65db98499b-hvnmc 1/1 Running 1 3m52s
rancher-65db98499b-pccdt 1/1 Running 0 3m52s
rancher-65db98499b-wbm28 1/1 Running 1 3m52s
rancher-webhook-7bc7ffdf7c-hrd8q 1/1 Running 0 101s
I got this to work by installing rancher in the cattle-system
namespace which is where all the CRDs are. I guess it makes sense that the provided ClusterRoleBinding require the caller to be in the same namespace.
helm template rancher rancher-latest/rancher --namespace cattle-system --set hostname=rancher.my.org --set tls=external > rancher.yaml
kubectl apply -f rancher.yaml -n cattle-system
The documentation is not very clear.