Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-30741

kube-scheduled certificates not correctly rotated after restart of cluster powered of for 2 months

XMLWordPrintable

    • Moderate
    • No
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The cluster was powered off for 2 months. After restarting the cluster, pods are not able to be scheduled.

Errors and warnings "failed to list" and "failed to watch" "Unauthorized" in the `kube-scheduler` pods.

"Unable to authenticate the request" errors with message "x509: certificate signed by unknown authority" in `kube-apiserver` logs.

Similar to BZ 2036870 [1]

       

      Version-Release number of selected component (if applicable):

      4.12

       

      How reproducible:

      unsure

       

      Actual results:

      The `kube-scheduler` certificate is not properly regenerated.

       

      Expected results:

      `kube-scheduler` certificate properly regenerated.

       

      Additional info:

      The `kube-scheduler` certificate was the same than the certificate in `openshift-config-managed`, but not working (solution 5442201 tried but not working).

Renewing the certificate in `openshift-config-managed` as per solution 6961419 [3] worked.

       

      [1] https://bugzilla.redhat.com/show_bug.cgi?id=2036870
      [2] https://access.redhat.com/solutions/5442201
      [3] https://access.redhat.com/solutions/6961419

              aos-workloads-staff Workloads Team Bot Account
              oarribas@redhat.com Oscar Arribas Arribas
              Workloads Team Bot Account Workloads Team Bot Account
              Lucas Severo Alves (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: