Skip to main content
Question

Pod stuck at ContainerCreating during Import on AKS [Related to SecretProviderClass Provider]

N
Forum|alt.badge.img

Currently performing POC for a client with 2 x K10 instance setup, deployed on AKS, each running on different region. Backup was successful. However, when comes to recovery via import job, PV and pods seems to ok. A couple of pods are stuck at Status: ContainerCreating 0/1. Check the pods, and discover some issues here related to secretproviderclass which is not restoring.  Any idea what is going on, and how is the next step here.

Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 47m default-scheduler Successfully assigned sanofi-net/peer0-0 to aks-agentpool-11584630-vmss00000e Warning FailedMount 46m (x3 over 47m) kubelet MountVolume.SetUp failed for volume "tlscacerts" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-tlscacerts, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-tlscacerts" not found Warning FailedMount 46m (x3 over 47m) kubelet MountVolume.SetUp failed for volume "cacerts" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-cacerts, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-cacerts" not found Warning FailedMount 46m (x3 over 47m) kubelet MountVolume.SetUp failed for volume "user-cred" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-user-cred, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-user-cred" not found Warning FailedMount 46m (x4 over 47m) kubelet MountVolume.SetUp failed for volume "tls" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-tls, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-tls" not found Warning FailedMount 46m (x4 over 47m) kubelet MountVolume.SetUp failed for volume "signcerts" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-signcerts, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-signcerts" not found Warning FailedMount 46m (x4 over 47m) kubelet MountVolume.SetUp failed for volume "keystore" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-keystore, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-keystore" not found Warning FailedMount 20m (x20 over 47m) kubelet MountVolume.SetUp failed for volume "admincerts" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-admincerts, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-admincerts" not found Warning FailedMount 2m2s (x59 over 40m) kubelet (combined from similar events): Unable to attach or mount volumes: unmounted volumes=[keystore user-cred cacerts signcerts admincerts tlscacerts tls], unattached volumes=[datadir peer0-msp-config-volume external-builder-release builders-config keystore external-builder-detect external-builder-build user-cred kube-api-access-nmn8g cacerts certificates datadir-couchdb dockersocket signcerts admincerts tlscacerts tls]: timed out waiting for the condition


 

3 comments

N
Forum|alt.badge.img
  • nantheless
  • Author
  • Not a newbie anymore
  • 3 comments
  • September 8, 2022
Events:
  Type     Reason       Age                  From               Message
  ----     ------       ----                 ----               -------
  Normal   Scheduled    47m                  default-scheduler  Successfully assigned sanofi-net/peer0-0 to aks-agentpool-11584630-vmss00000e
  Warning  FailedMount  46m (x3 over 47m)    kubelet            MountVolume.SetUp failed for volume "tlscacerts" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-tlscacerts, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-tlscacerts" not found
  Warning  FailedMount  46m (x3 over 47m)    kubelet            MountVolume.SetUp failed for volume "cacerts" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-cacerts, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-cacerts" not found
  Warning  FailedMount  46m (x3 over 47m)    kubelet            MountVolume.SetUp failed for volume "user-cred" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-user-cred, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-user-cred" not found
  Warning  FailedMount  46m (x4 over 47m)    kubelet            MountVolume.SetUp failed for volume "tls" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-tls, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-tls" not found
  Warning  FailedMount  46m (x4 over 47m)    kubelet            MountVolume.SetUp failed for volume "signcerts" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-signcerts, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-signcerts" not found
  Warning  FailedMount  46m (x4 over 47m)    kubelet            MountVolume.SetUp failed for volume "keystore" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-keystore, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-keystore" not found
  Warning  FailedMount  20m (x20 over 47m)   kubelet            MountVolume.SetUp failed for volume "admincerts" : rpc error: code = Unknown desc = failed to get secretproviderclass sanofi-net/peer0-admincerts, error: SecretProviderClass.secrets-store.csi.x-k8s.io "peer0-admincerts" not found
  Warning  FailedMount  2m2s (x59 over 40m)  kubelet            (combined from similar events): Unable to attach or mount volumes: unmounted volumes=[keystore user-cred cacerts signcerts admincerts tlscacerts tls], unattached volumes=[datadir peer0-msp-config-volume external-builder-release builders-config keystore external-builder-detect external-builder-build user-cred kube-api-access-nmn8g cacerts certificates datadir-couchdb dockersocket signcerts admincerts tlscacerts tls]: timed out waiting for the condition

 

Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
jaiganeshjk
Forum|alt.badge.img+2
  • jaiganeshjk
  • Experienced User
  • 275 comments
  • September 8, 2022

@nantheless Thanks for posting your question.

It seems that the secretproviderclass is missing from the cluster.

I am not very familiar with the secret store CSI driver. However, do you already have the CRD for secretProviderClass in the destination cluster ?
 

It seems that you need to export the cluster-scoped-resources and use that to import and restore cluster-scoped resources and then attempt application restore.

Jaiganesh
Chris.Childerhose
S
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • S
    satish.kumar
N
Forum|alt.badge.img
  • nantheless
  • Author
  • Not a newbie anymore
  • 3 comments
  • September 8, 2022
jaiganeshjk wrote:

@nantheless Thanks for posting your question.

It seems that the secretproviderclass is missing from the cluster.

I am not very familiar with the secret store CSI driver. However, do you already have the CRD for secretProviderClass in the destination cluster ?
 

It seems that you need to export the cluster-scoped-resources and use that to import and restore cluster-scoped resources and then attempt application restore.

You are correct. However, Microsoft cloud team had also advised customer to enable Azure Key Vault Provider which they have duly enabled. But, nothing works. Microsoft had advise if there is any issue with the recovery process. 

https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver#create-an-aks-cluster-with-azure-key-vault-provider-for-secrets-store-csi-driver-support

 

Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose

Comment


Terms & Conditions