Cannot work with KWOK cluster
nashtsai opened this issue · comments
Environment:
Following are backtrace logs:
$ RUST_BACKTRACE=full k view-allocations
2023-09-21T13:02:03.379413Z ERROR failed with error error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1921:: unsupported certificate purpose
Error:
0: Failed to list nodes
1: HyperError: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1921:: unsupported certificate purpose
2: error trying to connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1921:: unsupported certificate purpose
3: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1921:: unsupported certificate purpose
4: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1921:
5: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1921:
Location:
src/main.rs:47
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ BACKTRACE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
2: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
3: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
4: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
5: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
6: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
7: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
8: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
Run with COLORBT_SHOW_HIDDEN=1 environment variable to disable frame filtering.
$ k view-allocations --version
kubectl-view-allocations 0.16.3
Sorry, similar issue with the new version 0.17
2023-09-24T15:01:15.222666Z ERROR failed with error error trying to connect: invalid peer certificate: Other(RequiredEkuNotFound)
Error:
0: Failed to list nodes
1: HyperError: error trying to connect: invalid peer certificate: Other(RequiredEkuNotFound)
2: error trying to connect: invalid peer certificate: Other(RequiredEkuNotFound)
3: invalid peer certificate: Other(RequiredEkuNotFound)
Since version 0.17 the plugin switch to rustls (previously used openssl).
Note that, I didn't had the issue, when running kwok via all-in-one (docker install).
TBH I don't know if it's an issue on the plugin or on how kwok generate its certificate
I've encountered another issue where it's reporting kubectl cluster-info failed, however, I would expect that view-allocations only need Namespace, Pod and Node APIs access.
$ k view-allocations --version Default
kubectl-view-allocations 0.17.2
$ RUST_BACKTRACE=full k view-allocations -g resource -g node Default
Error:
0: Failed to run 'kubectl cluster-info'
Location:
src/main.rs:47
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ BACKTRACE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
2: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
3: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
4: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
5: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
6: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
7: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
8: __mh_execute_header<unknown>
at <unknown source file>:<unknown line>
Run with COLORBT_SHOW_HIDDEN=1 environment variable to disable frame filtering.The plugin, use kubectl cluster-info to check access and credential, and to also automatically review expired OAuth credentials, features that were/are not supported by the underlining lib (maybe it's supported now). maybe I could move this call under a flag
With version 0.18.0; the call to kubectl cluster-info is disabled by default, and the check of certificates can be disabled. With both changes, I was able to run the plugin against a local kwok (How I create it is described into the justfile)
Running `target/debug/kubectl-view-allocations --accept-invalid-certs`
Resource Requested Limit Allocatable Free
cpu __ __ 64.0 __
├─ node-000000 __ __ 32.0 __
└─ node-000001 __ __ 32.0 __
memory __ __ 512.0Gi __
├─ node-000000 __ __ 256.0Gi __
└─ node-000001 __ __ 256.0Gi __
pods (2%) 5.0 (2%) 5.0 220.0 215.0
├─ node-000000 (2%) 2.0 (2%) 2.0 110.0 108.0
└─ node-000001 (3%) 3.0 (3%) 3.0 110.0 107.0
Can you confirm? If ok, I let you close this issue.