-
Bug
-
Resolution: Duplicate
-
Normal
-
None
-
MCE 2.6.0
-
None
-
None
-
False
-
No
-
-
-
Important
On fresh install of latest downstream of acm 2.11
Cluster proxy pods seem to be crashing in acm 2.11/mce 2.6
oc get pods | grep "cluster-proxy"
cluster-proxy-6db985ff9b-2bsq8 0/1 CrashLoopBackOff 236 (2m33s ago) 19h
cluster-proxy-6db985ff9b-b5qsn 0/1 CrashLoopBackOff 236 (3m59s ago) 19h
cluster-proxy-addon-manager-6d9c9c5cb9-5fhk7 1/1 Running 0 19h
cluster-proxy-addon-manager-6d9c9c5cb9-zkn9n 1/1 Running 0 19h
cluster-proxy-addon-user-774bf9c5b6-2s5j2 2/2 Running 0 19h
cluster-proxy-addon-user-774bf9c5b6-fx89z 2/2 Running 0 19h
Logs
oc logs cluster-proxy-6db985ff9b-2bsq8
I0507 13:01:10.776041 1 options.go:148] ServerCert set to "/etc/server-pki/tls.crt".
I0507 13:01:10.776115 1 options.go:149] ServerKey set to "/etc/server-pki/tls.key".
I0507 13:01:10.776120 1 options.go:150] ServerCACert set to "/etc/server-ca-pki/ca.crt".
I0507 13:01:10.776123 1 options.go:151] ClusterCert set to "/etc/agent-pki/tls.crt".
I0507 13:01:10.776127 1 options.go:152] ClusterKey set to "/etc/agent-pki/tls.key".
I0507 13:01:10.776131 1 options.go:153] ClusterCACert set to "/etc/server-ca-pki/ca.crt".
I0507 13:01:10.776136 1 options.go:154] Mode set to "grpc".
I0507 13:01:10.776140 1 options.go:155] UDSName set to "".
I0507 13:01:10.776144 1 options.go:156] DeleteUDSFile set to true.
I0507 13:01:10.776149 1 options.go:157] Server port set to 8090.
I0507 13:01:10.776154 1 options.go:158] Server bind address set to "".
I0507 13:01:10.776159 1 options.go:159] Agent port set to 8091.
I0507 13:01:10.776164 1 options.go:160] Agent bind address set to "".
I0507 13:01:10.776170 1 options.go:161] Admin port set to 8095.
I0507 13:01:10.776175 1 options.go:162] Admin bind address set to "127.0.0.1".
I0507 13:01:10.776181 1 options.go:163] Health port set to 8092.
I0507 13:01:10.776187 1 options.go:164] Health bind address set to "".
I0507 13:01:10.776193 1 options.go:165] Keepalive time set to 30s.
I0507 13:01:10.776206 1 options.go:166] Frontend keepalive time set to 1h0m0s.
I0507 13:01:10.776213 1 options.go:167] EnableProfiling set to false.
I0507 13:01:10.776220 1 options.go:168] EnableContentionProfiling set to false.
I0507 13:01:10.776227 1 options.go:169] ServerID set to a1335309-085a-418a-91ae-8ea65d07c66a.
I0507 13:01:10.776234 1 options.go:170] ServerCount set to 2.
I0507 13:01:10.776241 1 options.go:171] AgentNamespace set to "".
I0507 13:01:10.776249 1 options.go:172] AgentServiceAccount set to "".
I0507 13:01:10.776257 1 options.go:173] AuthenticationAudience set to "".
I0507 13:01:10.776264 1 options.go:174] KubeconfigPath set to "".
I0507 13:01:10.776272 1 options.go:175] KubeconfigQPS set to 0.000000.
I0507 13:01:10.776285 1 options.go:176] KubeconfigBurst set to 0.
I0507 13:01:10.776294 1 options.go:177] ProxyStrategies set to "destHost".
I0507 13:01:10.776303 1 options.go:178] CipherSuites set to ["TLS_AES_256_GCM_SHA384" "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_RSA_WITH_AES_256_CBC_SHA" "TLS_RSA_WITH_AES_128_GCM_SHA256" "TLS_AES_128_GCM_SHA256" "TLS_CHACHA20_POLY1305_SHA256" "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" "TLS_RSA_WITH_AES_128_CBC_SHA" "TLS_RSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA" "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"].
Error: failed to validate server options with cipher suite TLS_RSA_WITH_AES_256_CBC_SHA not supported, doesn't exist or considered as insecure
Usage:
proxy [flags]
Flags:
--add-dir-header If true, adds the file directory to the header of the log messages
--admin-bind-address string Bind address for admin connections. If empty, we will bind to localhost. (default "127.0.0.1")
--admin-port int Port we listen for admin connections on. (default 8095)
--agent-bind-address string Bind address for agent connections. If empty, we will bind to all interfaces.
--agent-namespace string Expected agent's namespace during agent authentication (used with agent-service-account, authentication-audience, kubeconfig).
--agent-port int Port we listen for agent connections on. (default 8091)
--agent-service-account string Expected agent's service account during agent authentication (used with agent-namespace, authentication-audience, kubeconfig).
--alsologtostderr log to standard error as well as files (no effect when -logtostderr=true)
--authentication-audience string Expected agent's token authentication audience (used with agent-namespace, agent-service-account, kubeconfig).
--cipher-suites strings The comma separated list of allowed cipher suites. Has no effect on TLS1.3. Empty means allow default list.
--cluster-ca-cert string If non-empty the CA we use to validate Agent clients.
--cluster-cert string If non-empty secure communication with this cert.
--cluster-key string If non-empty secure communication with this key.
--delete-existing-uds-file If true and if file UdsName already exists, delete the file before listen on that UDS file. Default is true. (default true)
-enable-contention-profiling enable contention profiling at host:admin-port/debug/pprof/block. "-enable-profiling" must also be set.
--enable-profiling enable pprof at host:admin-port/debug/pprof
--frontend-keepalive-time duration Time for gRPC frontend server keepalive. (default 1h0m0s)
--health-bind-address string Bind address for health connections. If empty, we will bind to all interfaces.
--health-port int Port we listen for health connections on. (default 8092)
-h, --help help for proxy
--keepalive-time duration Time for gRPC agent server keepalive. (default 1h0m0s)
--kubeconfig string absolute path to the kubeconfig file (used with agent-namespace, agent-service-account, authentication-audience).
--kubeconfig-burst int Maximum client burst (proxy server uses this client to authenticate agent tokens).
--kubeconfig-qps float32 Maximum client QPS (proxy server uses this client to authenticate agent tokens).
--log-backtrace-at traceLocation when logging hits line file:N, emit a stack trace (default :0)
--log-dir string If non-empty, write log files in this directory (no effect when -logtostderr=true)
--log-file string If non-empty, use this log file (no effect when -logtostderr=true)
--log-file-max-size uint Defines the maximum size a log file can grow to (no effect when -logtostderr=true). Unit is megabytes. If the value is 0, the maximum file size is unlimited. (default 1800)
--logtostderr log to standard error instead of files (default true)
--mode string mode can be either 'grpc' or 'http-connect'. (default "grpc")
--one-output If true, only write logs to their native severity level (vs also writing to each lower severity level; no effect when -logtostderr=true)
--proxy-strategies string The list of proxy strategies used by the server to pick a backend/tunnel, available strategies are: default, destHost. (default "default")
--server-bind-address string Bind address for server connections. If empty, we will bind to all interfaces.
--server-ca-cert string If non-empty the CA we use to validate KAS clients.
--server-cert string If non-empty secure communication with this cert.
--server-count uint The number of proxy server instances, should be 1 unless it is an HA server. (default 1)
--server-id string The unique ID of this server. Can also be set by the 'PROXY_SERVER_ID' environment variable. (default "a1335309-085a-418a-91ae-8ea65d07c66a")
--server-key string If non-empty secure communication with this key.
--server-port int Port we listen for server connections on. Set to 0 for UDS. (default 8090)
--skip-headers If true, avoid header prefixes in the log messages
--skip-log-headers If true, avoid headers when opening log files (no effect when -logtostderr=true)
--stderrthreshold severity logs at or above this threshold go to stderr when writing to files and stderr (no effect when -logtostderr=true or -alsologtostderr=false) (default 2)
--uds-name string uds-name should be empty for TCP traffic. For UDS set to its name.
-v, --v Level number for the log level verbosity (default 4)
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging
E0507 13:01:10.776694 1 main.go:49] error: failed to validate server options with cipher suite TLS_RSA_WITH_AES_256_CBC_SHA not supported, doesn't exist or considered as insecure