New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and
privacy statement. We’ll occasionally send you account related emails.
Already on GitHub?
Sign in
to your account
Closed
yellowred opened this issue
Apr 18, 2018
· 9 comments
Comments
Steps to reproduce
$ kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
secret "kubernetes-dashboard-certs" created
serviceaccount "kubernetes-dashboard" created
role "kubernetes-dashboard-minimal" created
rolebinding "kubernetes-dashboard-minimal" created
deployment "kubernetes-dashboard" created
service "kubernetes-dashboard" created
$ kubectl proxy
Starting to serve on 127.0.0.1:8001
Environment
Installation method: see above
Kubernetes version: v1.9.6
Dashboard version: v1.8.3
Commit: ec1d7de4456e6a397c7f931f0a2bfc74a6ca2e9c
Observed result
Dashboard reported Internal Server Error (500):
square/go-jose: error in cryptographic primitive
After I had deleted all the pods it started to work. So it was either resource caused or just needed more time to initialise. Gonna keep this issue for informational reasons, but closed as it is solved for me.
Faced it too. It was because of a stale browser cookie in my case.
botzill, Bukashk0zzz, Efp95, taufort, juyoung-yoo, emiliobasualdo, mntky, dkim0526, Keerthikan, Azbesciak, and 2 more reacted with laugh emoji
smaslennikov, atomaras, josesuero, cmukhopadhyay-rms, botzill, felipecruz91, devops-team-92, Bukashk0zzz, taufort, juyoung-yoo, and 7 more reacted with hooray emoji
botzill and farhanJR reacted with confused emoji
botzill, tdmalone, devops-team-92, juyoung-yoo, emiliobasualdo, dkim0526, Keerthikan, ErlingRoll, Azbesciak, Negashev, and farhanJR reacted with heart emoji
botzill, devops-team-92, Bukashk0zzz, dkim0526, Keerthikan, sasha7, Azbesciak, Negashev, and farhanJR reacted with rocket emoji
botzill, shreyas15, Keerthikan, and Negashev reacted with eyes emoji
Faced it too, a bit annoying. In my case, I was using chrome and started a new window in incognito mode and it worked fine.
It maybe because your secret token was not encrypted and decrypted by the same pair private key and public key. kube-controller-manager generates the token, and kube-apiserver detects the token. the private key is specified by —service-account-key-file If unspecified, —tls-private-key-file is used.
It maybe because your secret token was not encrypted and decrypted by the same pair private key and public key. kube-controller-manager generates the token, and kube-apiserver detects the token. the private key is specified by —service-account-key-file If unspecified, —tls-private-key-file is used.
It didn’t get that far where it takes the token
Yes also get this issue. It happened to me when I switched between kubernetes clusters and I think it doesn’t handle the token properly. If I log out and log back in it works.
Had the same issue in Chrome. Clear Browser data fixes it.
I solve the same question by login again and input the TOKEN again.
Faced it too. It was because of a stale browser cookie in my case.
Package jose aims to provide an implementation of the Javascript Object Signing
and Encryption set of standards. It implements encryption and signing based on
the JSON Web Encryption and JSON Web Signature standards, with optional JSON
Web Token support available in a sub-package. The library supports both the
compact and full serialization formats, and has optional support for multiple
recipients.
// Generate a public/private key pair to use for this example. privateKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { panic(err) } // Instantiate an encrypter using RSA-OAEP with AES128-GCM. An error would // indicate that the selected algorithm(s) are not currently supported. publicKey := &privateKey.PublicKey encrypter, err := NewEncrypter(A128GCM, Recipient{Algorithm: RSA_OAEP, Key: publicKey}, nil) if err != nil { panic(err) } // Encrypt a sample plaintext. Calling the encrypter returns an encrypted // JWE object, which can then be serialized for output afterwards. An error // would indicate a problem in an underlying cryptographic primitive. var plaintext = []byte("Lorem ipsum dolor sit amet") object, err := encrypter.Encrypt(plaintext) if err != nil { panic(err) } // Serialize the encrypted object using the full serialization format. // Alternatively you can also use the compact format here by calling // object.CompactSerialize() instead. serialized := object.FullSerialize() // Parse the serialized, encrypted JWE object. An error would indicate that // the given input did not represent a valid message. object, err = ParseEncrypted(serialized) if err != nil { panic(err) } // Now we can decrypt and get back our original plaintext. An error here // would indicate that the message failed to decrypt, e.g. because the auth // tag was broken or the message was tampered with. decrypted, err := object.Decrypt(privateKey) if err != nil { panic(err) } fmt.Printf(string(decrypted))
Output: Lorem ipsum dolor sit amet
// Generate a public/private key pair to use for this example. privateKey, err := rsa.GenerateKey(rand.Reader, 2048) if err != nil { panic(err) } // Instantiate a signer using RSASSA-PSS (SHA512) with the given private key. signer, err := NewSigner(SigningKey{Algorithm: PS512, Key: privateKey}, nil) if err != nil { panic(err) } // Sign a sample payload. Calling the signer returns a protected JWS object, // which can then be serialized for output afterwards. An error would // indicate a problem in an underlying cryptographic primitive. var payload = []byte("Lorem ipsum dolor sit amet") object, err := signer.Sign(payload) if err != nil { panic(err) } // Serialize the encrypted object using the full serialization format. // Alternatively you can also use the compact format here by calling // object.CompactSerialize() instead. serialized := object.FullSerialize() // Parse the serialized, protected JWS object. An error would indicate that // the given input did not represent a valid message. object, err = ParseSigned(serialized) if err != nil { panic(err) } // Now we can verify the signature on the payload. An error here would // indicate that the message failed to verify, e.g. because the signature was // broken or the message was tampered with. output, err := object.Verify(&privateKey.PublicKey) if err != nil { panic(err) } fmt.Printf(string(output))
Output: Lorem ipsum dolor sit amet
- Constants
- Variables
- type CompressionAlgorithm
- type ContentEncryption
- type ContentType
- type Encrypter
-
- func NewEncrypter(enc ContentEncryption, rcpt Recipient, opts *EncrypterOptions) (Encrypter, error)
- func NewMultiEncrypter(enc ContentEncryption, rcpts []Recipient, opts *EncrypterOptions) (Encrypter, error)
- type EncrypterOptions
-
- func (eo *EncrypterOptions) WithContentType(contentType ContentType) *EncrypterOptions
- func (eo *EncrypterOptions) WithHeader(k HeaderKey, v interface{}) *EncrypterOptions
- func (eo *EncrypterOptions) WithType(typ ContentType) *EncrypterOptions
- type Header
-
- func (h Header) Certificates(opts x509.VerifyOptions) ([][]*x509.Certificate, error)
- type HeaderKey
- type JSONWebEncryption
-
- func ParseEncrypted(input string) (*JSONWebEncryption, error)
-
- func (obj JSONWebEncryption) CompactSerialize() (string, error)
- func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
- func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error)
- func (obj JSONWebEncryption) FullSerialize() string
- func (obj JSONWebEncryption) GetAuthData() []byte
- type JSONWebKey
-
- func (k *JSONWebKey) IsPublic() bool
- func (k JSONWebKey) MarshalJSON() ([]byte, error)
- func (k *JSONWebKey) Public() JSONWebKey
- func (k *JSONWebKey) Thumbprint(hash crypto.Hash) ([]byte, error)
- func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error)
- func (k *JSONWebKey) Valid() bool
- type JSONWebKeySet
-
- func (s *JSONWebKeySet) Key(kid string) []JSONWebKey
- type JSONWebSignature
-
- func ParseDetached(signature string, payload []byte) (*JSONWebSignature, error)
- func ParseSigned(signature string) (*JSONWebSignature, error)
-
- func (obj JSONWebSignature) CompactSerialize() (string, error)
- func (obj JSONWebSignature) DetachedCompactSerialize() (string, error)
- func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey interface{}) error
- func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey interface{}) (int, Signature, error)
- func (obj JSONWebSignature) FullSerialize() string
- func (obj JSONWebSignature) UnsafePayloadWithoutVerification() []byte
- func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error)
- func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signature, []byte, error)
- type KeyAlgorithm
- type NonceSource
- type OpaqueKeyDecrypter
- type OpaqueKeyEncrypter
- type OpaqueSigner
- type OpaqueVerifier
- type Recipient
- type Signature
- type SignatureAlgorithm
- type Signer
-
- func NewMultiSigner(sigs []SigningKey, opts *SignerOptions) (Signer, error)
- func NewSigner(sig SigningKey, opts *SignerOptions) (Signer, error)
- type SignerOptions
-
- func (so *SignerOptions) WithBase64(b64 bool) *SignerOptions
- func (so *SignerOptions) WithContentType(contentType ContentType) *SignerOptions
- func (so *SignerOptions) WithCritical(names …string) *SignerOptions
- func (so *SignerOptions) WithHeader(k HeaderKey, v interface{}) *SignerOptions
- func (so *SignerOptions) WithType(typ ContentType) *SignerOptions
- type SigningKey
- Package (JWE)
- Package (JWS)
- Encrypter (Encrypt)
- Encrypter (EncryptWithAuthData)
- NewEncrypter (PublicKey)
- NewEncrypter (Symmetric)
- NewMultiEncrypter
- NewMultiSigner
- NewSigner (PublicKey)
- NewSigner (Symmetric)
View Source
const ( ED25519 = KeyAlgorithm("ED25519") RSA1_5 = KeyAlgorithm("RSA1_5") RSA_OAEP = KeyAlgorithm("RSA-OAEP") RSA_OAEP_256 = KeyAlgorithm("RSA-OAEP-256") A128KW = KeyAlgorithm("A128KW") A192KW = KeyAlgorithm("A192KW") A256KW = KeyAlgorithm("A256KW") DIRECT = KeyAlgorithm("dir") ECDH_ES = KeyAlgorithm("ECDH-ES") ECDH_ES_A128KW = KeyAlgorithm("ECDH-ES+A128KW") ECDH_ES_A192KW = KeyAlgorithm("ECDH-ES+A192KW") ECDH_ES_A256KW = KeyAlgorithm("ECDH-ES+A256KW") A128GCMKW = KeyAlgorithm("A128GCMKW") A192GCMKW = KeyAlgorithm("A192GCMKW") A256GCMKW = KeyAlgorithm("A256GCMKW") PBES2_HS256_A128KW = KeyAlgorithm("PBES2-HS256+A128KW") PBES2_HS384_A192KW = KeyAlgorithm("PBES2-HS384+A192KW") PBES2_HS512_A256KW = KeyAlgorithm("PBES2-HS512+A256KW") )
Key management algorithms
View Source
const ( EdDSA = SignatureAlgorithm("EdDSA") HS256 = SignatureAlgorithm("HS256") HS384 = SignatureAlgorithm("HS384") HS512 = SignatureAlgorithm("HS512") RS256 = SignatureAlgorithm("RS256") RS384 = SignatureAlgorithm("RS384") RS512 = SignatureAlgorithm("RS512") ES256 = SignatureAlgorithm("ES256") ES384 = SignatureAlgorithm("ES384") ES512 = SignatureAlgorithm("ES512") PS256 = SignatureAlgorithm("PS256") PS384 = SignatureAlgorithm("PS384") PS512 = SignatureAlgorithm("PS512") )
Signature algorithms
View Source
const ( A128CBC_HS256 = ContentEncryption("A128CBC-HS256") A192CBC_HS384 = ContentEncryption("A192CBC-HS384") A256CBC_HS512 = ContentEncryption("A256CBC-HS512") A128GCM = ContentEncryption("A128GCM") A192GCM = ContentEncryption("A192GCM") A256GCM = ContentEncryption("A256GCM") )
Content encryption algorithms
Compression algorithms
View Source
var ( ErrCryptoFailure = errors.New("square/go-jose: error in cryptographic primitive") ErrUnsupportedAlgorithm = errors.New("square/go-jose: unknown/unsupported algorithm") ErrUnsupportedKeyType = errors.New("square/go-jose: unsupported key type/format") ErrInvalidKeySize = errors.New("square/go-jose: invalid key size for algorithm") ErrNotSupported = errors.New("square/go-jose: compact serialization not supported for object") ErrUnprotectedNonce = errors.New("square/go-jose: Nonce parameter included in unprotected header") )
Random reader (stubbed out in tests)
This section is empty.
type CompressionAlgorithm string
CompressionAlgorithm represents an algorithm used for plaintext compression.
type ContentType ¶
added in
v2.0.1
v2.0.1
ContentType represents type of the contained data.
type Encrypter interface { Encrypt(plaintext []byte) (*JSONWebEncryption, error) EncryptWithAuthData(plaintext []byte, aad []byte) (*JSONWebEncryption, error) Options() EncrypterOptions }
Encrypter represents an encrypter which produces an encrypted JWE object.
// Encrypt a plaintext in order to get an encrypted JWE object. var plaintext = []byte("This is a secret message") encrypter.Encrypt(plaintext)
Output:
// Encrypt a plaintext in order to get an encrypted JWE object. Also attach // some additional authenticated data (AAD) to the object. Note that objects // with attached AAD can only be represented using full serialization. var plaintext = []byte("This is a secret message") var aad = []byte("This is authenticated, but public data") encrypter.EncryptWithAuthData(plaintext, aad)
Output:
NewEncrypter creates an appropriate encrypter based on the key type
var publicKey *rsa.PublicKey // Instantiate an encrypter using RSA-OAEP with AES128-GCM. NewEncrypter(A128GCM, Recipient{Algorithm: RSA_OAEP, Key: publicKey}, nil) // Instantiate an encrypter using RSA-PKCS1v1.5 with AES128-CBC+HMAC. NewEncrypter(A128CBC_HS256, Recipient{Algorithm: RSA1_5, Key: publicKey}, nil)
Output:
var sharedKey []byte // Instantiate an encrypter using AES128-GCM with AES-GCM key wrap. NewEncrypter(A128GCM, Recipient{Algorithm: A128GCMKW, Key: sharedKey}, nil) // Instantiate an encrypter using AES128-GCM directly, w/o key wrapping. NewEncrypter(A128GCM, Recipient{Algorithm: DIRECT, Key: sharedKey}, nil)
Output:
func NewMultiEncrypter(enc ContentEncryption, rcpts []Recipient, opts *EncrypterOptions) (Encrypter, error)
NewMultiEncrypter creates a multi-encrypter based on the given parameters
var publicKey *rsa.PublicKey var sharedKey []byte // Instantiate an encrypter using AES-GCM. NewMultiEncrypter(A128GCM, []Recipient{ {Algorithm: A128GCMKW, Key: sharedKey}, {Algorithm: RSA_OAEP, Key: publicKey}, }, nil)
Output:
type EncrypterOptions struct {
Compression CompressionAlgorithm
ExtraHeaders map[HeaderKey]interface{}
}
EncrypterOptions represents options that can be set on new encrypters.
func (*EncrypterOptions) WithContentType ¶
added in
v2.1.0
v2.1.0
func (eo *EncrypterOptions) WithContentType(contentType ContentType) *EncrypterOptions
WithContentType adds a content type («cty») header and returns the updated
EncrypterOptions.
func (eo *EncrypterOptions) WithHeader(k HeaderKey, v interface{}) *EncrypterOptions
WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it
if necessary. It returns itself and so can be used in a fluent style.
func (eo *EncrypterOptions) WithType(typ ContentType) *EncrypterOptions
WithType adds a type («typ») header and returns the updated EncrypterOptions.
type Header struct { ExtraHeaders map[HeaderKey]interface{} }
Header represents the read-only JOSE header for JWE/JWS objects.
Certificates verifies & returns the certificate chain present
in the x5c header field of a message, if one was present. Returns
an error if there was no x5c header present or the chain could
not be validated with the given verify options.
A key in the protected header of a JWS object. Use of the Header…
constants is preferred to enhance type safety.
const (
HeaderContentType = "cty"
)
type JSONWebEncryption struct { }
JSONWebEncryption represents an encrypted JWE object after parsing.
ParseEncrypted parses an encrypted message in compact or full serialization format.
CompactSerialize serializes an object using the compact serialization format.
func (obj JSONWebEncryption) Decrypt(decryptionKey interface{}) ([]byte, error)
Decrypt and validate the object and return the plaintext. Note that this
function does not support multi-recipient, if you desire multi-recipient
decryption use DecryptMulti instead.
func (obj JSONWebEncryption) DecryptMulti(decryptionKey interface{}) (int, Header, []byte, error)
DecryptMulti decrypts and validates the object and returns the plaintexts,
with support for multiple recipients. It returns the index of the recipient
for which the decryption was successful, the merged headers for that recipient,
and the plaintext.
FullSerialize serializes an object using the full JSON serialization format.
func (obj JSONWebEncryption) GetAuthData() []byte
GetAuthData retrieves the (optional) authenticated data attached to the object.
JSONWebKey represents a public or private key in JWK format.
func (k *JSONWebKey) IsPublic() bool
IsPublic returns true if the JWK represents a public key (not symmetric, not private).
MarshalJSON serializes the given key to its JSON representation.
func (k *JSONWebKey) Public() JSONWebKey
Public creates JSONWebKey with corresponding public key if JWK represents asymmetric private key.
Thumbprint computes the JWK Thumbprint of a key using the
indicated hash algorithm.
UnmarshalJSON reads a key from its JSON representation.
Valid checks that the key contains the expected parameters.
type JSONWebKeySet struct {
Keys []JSONWebKey `json:"keys"`
}
JSONWebKeySet represents a JWK Set object.
Key convenience method returns keys by key ID. Specification states
that a JWK Set «SHOULD» use distinct key IDs, but allows for some
cases where they are not distinct. Hence method returns a slice
of JSONWebKeys.
type JSONWebSignature struct {
Signatures []Signature
}
JSONWebSignature represents a signed JWS object after parsing.
ParseDetached parses a signed message in compact serialization format with detached payload.
ParseSigned parses a signed message in compact or full serialization format.
CompactSerialize serializes an object using the compact serialization format.
DetachedCompactSerialize serializes an object using the compact serialization format with detached payload.
func (obj JSONWebSignature) DetachedVerify(payload []byte, verificationKey interface{}) error
DetachedVerify validates a detached signature on the given payload. In
most cases, you will probably want to use Verify instead. DetachedVerify
is only useful if you have a payload and signature that are separated from
each other.
func (obj JSONWebSignature) DetachedVerifyMulti(payload []byte, verificationKey interface{}) (int, Signature, error)
DetachedVerifyMulti validates a detached signature on the given payload with
a signature/object that has potentially multiple signers. This returns the index
of the signature that was verified, along with the signature object. We return
the signature and index to guarantee that callers are getting the verified value.
In most cases, you will probably want to use Verify or VerifyMulti instead.
DetachedVerifyMulti is only useful if you have a payload and signature that are
separated from each other, and the signature can have multiple signers at the
same time.
FullSerialize serializes an object using the full JSON serialization format.
func (obj JSONWebSignature) UnsafePayloadWithoutVerification() []byte
UnsafePayloadWithoutVerification returns the payload without
verifying it. The content returned from this function cannot be
trusted.
func (obj JSONWebSignature) Verify(verificationKey interface{}) ([]byte, error)
Verify validates the signature on the object and returns the payload.
This function does not support multi-signature, if you desire multi-sig
verification use VerifyMulti instead.
Be careful when verifying signatures based on embedded JWKs inside the
payload header. You cannot assume that the key received in a payload is
trusted.
func (obj JSONWebSignature) VerifyMulti(verificationKey interface{}) (int, Signature, []byte, error)
VerifyMulti validates (one of the multiple) signatures on the object and
returns the index of the signature that was verified, along with the signature
object and the payload. We return the signature and index to guarantee that
callers are getting the verified value.
KeyAlgorithm represents a key management algorithm.
NonceSource represents a source of random nonces to go into JWS objects
type OpaqueKeyDecrypter interface {
DecryptKey(encryptedKey []byte, header Header) ([]byte, error)
}
OpaqueKeyDecrypter is an interface that supports decrypting keys with an opaque key.
type OpaqueKeyEncrypter interface { KeyID() string Algs() []KeyAlgorithm }
OpaqueKeyEncrypter is an interface that supports encrypting keys with an opaque key.
type OpaqueSigner interface { Public() *JSONWebKey Algs() []SignatureAlgorithm SignPayload(payload []byte, alg SignatureAlgorithm) ([]byte, error) }
OpaqueSigner is an interface that supports signing payloads with opaque
private key(s). Private key operations performed by implementers may, for
example, occur in a hardware module. An OpaqueSigner may rotate signing keys
transparently to the user of this interface.
type OpaqueVerifier interface {
VerifyPayload(payload []byte, signature []byte, alg SignatureAlgorithm) error
}
OpaqueVerifier is an interface that supports verifying payloads with opaque
public key(s). An OpaqueSigner may rotate signing keys transparently to the
user of this interface.
type Recipient struct { Algorithm KeyAlgorithm Key interface{} KeyID string PBES2Count int PBES2Salt []byte }
Recipient represents an algorithm/key to encrypt messages to.
PBES2Count and PBES2Salt correspond with the «p2c» and «p2s» headers used
on the password-based encryption algorithms PBES2-HS256+A128KW,
PBES2-HS384+A192KW, and PBES2-HS512+A256KW. If they are not provided a safe
default of 100000 will be used for the count and a 128-bit random salt will
be generated.
type Signature struct { Header Header Protected Header Unprotected Header Signature []byte }
Signature represents a single signature over the JWS payload and protected header.
type SignatureAlgorithm string
SignatureAlgorithm represents a signature (or MAC) algorithm.
type Signer interface { Sign(payload []byte) (*JSONWebSignature, error) Options() SignerOptions }
Signer represents a signer which takes a payload and produces a signed JWS object.
func NewMultiSigner(sigs []SigningKey, opts *SignerOptions) (Signer, error)
NewMultiSigner creates a signer for multiple recipients
var privateKey *rsa.PrivateKey var sharedKey []byte // Instantiate a signer for multiple recipients. NewMultiSigner([]SigningKey{ {Algorithm: HS256, Key: sharedKey}, {Algorithm: PS384, Key: privateKey}, }, nil)
Output:
NewSigner creates an appropriate signer based on the key type
var rsaPrivateKey *rsa.PrivateKey var ecdsaPrivateKey *ecdsa.PrivateKey // Instantiate a signer using RSA-PKCS#1v1.5 with SHA-256. NewSigner(SigningKey{Algorithm: RS256, Key: rsaPrivateKey}, nil) // Instantiate a signer using ECDSA with SHA-384. NewSigner(SigningKey{Algorithm: ES384, Key: ecdsaPrivateKey}, nil)
Output:
var sharedKey []byte // Instantiate an signer using HMAC-SHA256. NewSigner(SigningKey{Algorithm: HS256, Key: sharedKey}, nil) // Instantiate an signer using HMAC-SHA512. NewSigner(SigningKey{Algorithm: HS512, Key: sharedKey}, nil)
Output:
type SignerOptions struct { NonceSource NonceSource EmbedJWK bool ExtraHeaders map[HeaderKey]interface{} }
SignerOptions represents options that can be set when creating signers.
func (so *SignerOptions) WithBase64(b64 bool) *SignerOptions
WithBase64 adds a base64url-encode payload («b64») header and returns the updated
SignerOptions. When the «b64» value is «false», the payload is not base64 encoded.
func (*SignerOptions) WithContentType ¶
added in
v2.1.0
v2.1.0
func (so *SignerOptions) WithContentType(contentType ContentType) *SignerOptions
WithContentType adds a content type («cty») header and returns the updated
SignerOptions.
func (so *SignerOptions) WithCritical(names ...string) *SignerOptions
WithCritical adds the given names to the critical («crit») header and returns
the updated SignerOptions.
func (so *SignerOptions) WithHeader(k HeaderKey, v interface{}) *SignerOptions
WithHeader adds an arbitrary value to the ExtraHeaders map, initializing it
if necessary. It returns itself and so can be used in a fluent style.
func (so *SignerOptions) WithType(typ ContentType) *SignerOptions
WithType adds a type («typ») header and returns the updated SignerOptions.
type SigningKey struct { Algorithm SignatureAlgorithm Key interface{} }
SigningKey represents an algorithm/key used to sign a message.
This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that.
There are 2 subtypes of this error: - square/go-jose: error in cryptographic primitive, old, insecure token format - square/go-jose: error in cryptographic primitive, token lookup failed The former might be related to some leftovers after forbidding the old token format [1]. Sergiusz Urbaniak - I've seen this happening in the monitoring Pods, can I kindly ask you to let the Monitoring Team know about this? Here are two examples extracted from [2]: - Jun 14 19:53:09.227 E ns/openshift-monitoring pod/thanos-querier-74b7584698-7c7cq node/ip-10-0-227-143.us-west-1.compute.internal container/oauth-proxy reason/ContainerExit code/2 cause/Error format]n2021/06/14 18:50:55 oauthproxy.go:793: requestauth: 10.128.0.7:39240 [invalid bearer token, square/go-jose: error in cryptographic primitive, old, insecure token format]n2021/06/14 18:50:57 [...] - Jun 13 22:56:27.417 E ns/openshift-monitoring pod/alertmanager-main-1 node/ip-10-0-238-162.ec2.internal container/alertmanager-proxy reason/ContainerExit code/2 cause/Error /06/13 22:31:28 oauthproxy.go:793: requestauth: 10.128.2.16:36640 [invalid bearer token, square/go-jose: error in cryptographic primitive, old, insecure token format][...] The latter is more interesting and happens when the Token Authenticator can not get Tokens [3][4]. Analyzing one of the failed builds [5] I found the kube-apiserver was emitting this error at the time shown below: 2021-06-15T02:28:51.789845375Z E0615 02:28:51.788905 19 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, Token has been invalidated, token lookup failed]" 2021-06-15T02:28:51.789845375Z E0615 02:28:51.789294 19 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, Token has been invalidated, token lookup failed]" 2021-06-15T02:28:51.789845375Z E0615 02:28:51.789419 19 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, Token has been invalidated, token lookup failed]" 2021-06-15T02:28:51.789845375Z E0615 02:28:51.789573 19 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, Token has been invalidated, token lookup failed]" After this time, the error stopped appearing. Interestingly, the API Server Pods started earlier than that but it took some time until they connected to Etcd and started serving requests: - apiserver-58b64fd885-5gg7b: ~02:40:09.150111 - apiserver-58b64fd885-9lw55: ~02:40:09.150174208Z - apiserver-58b64fd885-hnmxf: ~02:28:44.705157016Z Based on the timestamps the above, I believe this is a timing issue. Things are booting up and the oAuth API Server temporarily can not obtain Tokens. Standa - if you agree with me, that will probably be a "won't fix". [1] https://github.com/openshift/oauth-apiserver/pull/44 [2] https://search.ci.openshift.org/?search=square%2Fgo-jose%3A+error+in+cryptographic+primitive%2C+old%2C+insecure+token+format&maxAge=336h&context=1&type=junit&name=&excludeName=&maxMatches=5&maxBytes=20971520&groupBy=job [3] https://github.com/openshift/oauth-apiserver/blob/09435a5dd505b3b90eb7ce355ab41c8e4c1a349c/pkg/tokenvalidation/tokenauthenticator.go#L53 [4] https://github.com/openshift/oauth-apiserver/blob/09435a5dd505b3b90eb7ce355ab41c8e4c1a349c/pkg/tokenvalidation/tokenauthenticator.go#L62 [5] https://prow.ci.openshift.org/view/gs/origin-ci-test/pr-logs/pull/openshift_ovn-kubernetes/574/pull-ci-openshift-ovn-kubernetes-master-4.8-upgrade-from-stable-4.7-e2e-aws-ovn-upgrade/1404592194467139584
The LifecycleStale keyword was removed because the bug got commented on recently. The bug assignee was notified.
It turns out my previous explanation was entirely incorrect. Standa clarified that Kube API Server is one of the first things that we start. Such a timing error is simply impossible in this case. So far I've verified: - This is not a new problem, it started happening in 4.7: https://bugzilla.redhat.com/show_bug.cgi?id=1907728 - The square/go-jose code suggests that this error when verifying the token signature - The SA keys/certs haven't been rotated - The failure happened in a Pod that has been restarted, so I can't compare mounted certs if they match the API server - Couldn't find anything in events - Couldn't find anything in audit logs I've created 2 debugging PRs that might help me investigate this failure further: - https://github.com/openshift/kubernetes/pull/816 - https://github.com/openshift/oauth-apiserver/pull/57
Closing as there's not enough data to sort this problem out. Both PRs (mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1956879#c4) didn't catch anything suspicious. Since this error also appeared in 4.7, it seems it's not related anyhow with Bounded Service Account Tokens and key rotation. In order to tell anything more about it, I'd need a stable way to reproduce it.
Together with Sergiusz and Standa we decided to keep this bug around. Unfortunately we do not have enough data to debug it further. Logging tokens and cryptographic keys anywhere is simply a no-go solution. So far we also noticed that this error happens only in the monitoring stack by the oauth-proxy. For now we only know that a bearer token that is coming through oauth-proxy is invalid. Once we find a stable way to reproduce it, we can probably track the root cause.
This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing the severity/priority. If you have further information on the current state of the bug, please update it, otherwise this bug can be closed in about 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. Additionally, you can add LifecycleFrozen into Keywords if you think this bug should never be marked as stale. Please consult with bug assignee before you do that.
sprint review: we have not found the root cause yet but the issue is being worked on.
The LifecycleStale keyword was removed because the bug got commented on recently. The bug assignee was notified.
We found that the error is caused by clients sending invalid jwt tokens against api server. In this concrete case etcd-operator was identified.
The etcd-operator logs are being observed. But issue is yet to be encountered.
Please link a 4.9 test run that was run after the merge and shows the symptoms.
Its not reproducible now. Will need to wait for some more time (probably a week) to see if the issue is encountered.
Moving it to Verified since its not reproducible. This issue is not seen any more.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:3759 |
bearer token seems not work — Unable to authenticate the request due to an error: [invalid bearer token, [invalid bearer token, square/go-jose: error in cryptographic primitive]] #72026
Comments
konghui commented Dec 13, 2018
What happened:
I try to use the bearer token visit kubernet /healthz interface through script:
it return the response:
I think It has Sufficient permission, But it still response 401
and the apiserver’s log display this:
I try to delete the token and use regenerate one like 22351 still not work.
What you expected to happen:
It should return ok.
How to reproduce it (as minimally and precisely as possible):
try to apply the yaml file I supply blow.
Anything else we need to know?:
here is the detail resources.
clusterrolebindding: federation-system federation-controller-manager:common-zone-region
clusterrolebindding: federation-system federation-controller-manager:zone-region
clusterrole: federation-system federation-controller-manager:zone-region
clusterrole: federation-system federation-controller-manager:common-zone-region
Environment:
- Kubernetes version (use kubectl version ): v1.13.0
- Cloud provider or hardware configuration:
- OS (e.g. from /etc/os-release): archlinux
- Kernel (e.g. uname -a ): Linux notepad 4.19.4-arch1-1-ARCH
30%) #1 SMP PREEMPT Fri Nov 23 09:06:58 UTC 2018 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered:
yue9944882 commented Dec 13, 2018
liggitt commented Dec 13, 2018
It appears that you are not giving the apiserver a public key to use to verify service account tokens. If —service-account-key-file is not provided to the apiserver, it uses the —tls-private-key-file to verify tokens ( /home/larry/project/clusters/zone/cert/apiserver/apiserver-key.pem , in your case)
That key does not match the key your controller-manager was given with —service-account-private-key-file to sign the tokens ( /home/larry/project/clusters/zone/cert/ca/ca-key.pem , in your case)
Update the apiserver invocation to provide it with the correct —service-account-key-file in order for the generated service account tokens to be able to be used as valid authentication tokens.
k8s-ci-robot commented Dec 13, 2018
@liggitt: Closing this issue.
It appears that you are not giving the apiserver a public key to use to verify service account tokens. If —service-account-key-file is not provided to the apiserver, it uses the —tls-private-key-file to verify tokens ( /home/larry/project/clusters/zone/cert/apiserver/apiserver-key.pem , in your case)
That key does not match the key your controller-manager was given with —service-account-private-key-file to sign the tokens ( /home/larry/project/clusters/zone/cert/ca/ca-key.pem , in your case)
Update the apiserver invocation to provide it with the correct —service-account-key-file in order for the generated service account tokens to be able to be used as valid authentication tokens.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
vsxen commented Dec 14, 2018 •
I have other question.
this secure port don not provide metrics route?
can I get metrics from secure port?(kube-controller-manager & kube scheduler)
konghui commented Dec 14, 2018
I think k8s support get metrics from the secure port, you should create a role and use bearer token to get the metrics info. I was use this method to get the metrics form kubelet secure port.
vsxen commented Dec 16, 2018
kube-controller-manager don not support
HankTheCrank commented May 29, 2020
I know this is closed but I had the same problem and I want to document the solution in case it helps someone. (none of the solutions above worked for me)
The problem I had was I reset the cluster with kubeadm but for some reason the service account secret remained. I had reconfigured my certificates so the token in the secret was for the old certificates. This gave me the error. The solution is to delete the coredns service account secret and a new one will be created with the new certificate. Finally, delete the coredns pod to force the new service account secret to be used.
Andy546 commented Jun 3, 2020
I know this is closed but I had the same problem and I want to document the solution in case it helps someone. (none of the solutions above worked for me)
The problem I had was I reset the cluster with kubeadm but for some reason the service account secret remained. I had reconfigured my certificates so the token in the secret was for the old certificates. This gave me the error. The solution is to delete the coredns service account secret and a new one will be created with the new certificate. Finally, delete the coredns pod to force the new service account secret to be used.
May I ask for more details? Can you give me some direct steps to solve this problem? Appreciate it
HankTheCrank commented Jun 3, 2020 •
May I ask for more details? Can you give me some direct steps to solve this problem? Appreciate it
Let’s see what I remember (I need to document this better).
Here’s the site I was using to build: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/
Step 3, «Generate the certificate authority»:
If you do not already have a CA then run this command on $HOST0 (where you generated the configuration files for kubeadm).
kubeadm init phase certs etcd-ca
Or you get the certificate authority for Kubernetes from your own PKI (this is what I did):
If you already have a CA then the only action that is copying the CA’s crt and key file to /etc/kubernetes/pki/etcd/ca.crt and /etc/kubernetes/pki/etcd/ca.key
This sets the key used to create all the kubernetes certificates and tokens, including the tokens used for the Kubernetes service accounts. Service accounts, by default, have a secret associated with them. To get the information we need, let’s look at the pod that’s failing:
kubectl describe pod coredns-689857ddd7-k8lc8 -n kube-system
This will give you all the information up the «associations tree» from the pod up to the deployment method. In my case, all I care about is the secret: SecretName: coredns-token-gf2j8
Now what may not be obvious from the documentation I was using is that there is a token controller in the cluster that generates the tokens for service accounts using the provided CA. It monitors the service account secret and will create a new one if one does not exist (even after the install is complete). So, to get a token from the new CA, I deleted the secret for the coredns:
‘kubectl delete secret coredns-token-gf2j8 -n kube-system’
Finally, we have to get the pods to use the new secret, so we need to stop the currently running pods. In the case of coredns, it’s a deployment. There are a couple of ways to do this, but the easiest is to just delete the pods (since they’re not working, this won’t impact anything negatively):
kubectl delete pod coredns-689857ddd7-k8lc8 -n kube-system
Источник
new invalid bearer token, square/go-jose: error in cryptographic primitive #110035
Comments
5279314 commented May 13, 2022 •
What happened?
I doubt whether the API configuration is wrong, because the created serviceaccount does not seem to be mounted in the pod container
What did you expect to happen?
All pods can operate normally. Please help analyze whether there are errors
How can we reproduce it (as minimally and precisely as possible)?
try to apply the yaml file I supply blow.
Anything else we need to know?
The serviceaccount attached to the pod container is different from that created. Is it correct??
kubectl get pod testwithsa -o yaml
Kubernetes version
Cloud provider
OS version
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, . ) and versions (if applicable)
The text was updated successfully, but these errors were encountered:
k8s-ci-robot commented May 13, 2022
@5279314: This issue is currently awaiting triage.
If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.
The triage/accepted label can be added by org members by writing /triage accepted in a comment.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
5279314 commented May 13, 2022
jilleJr commented Aug 3, 2022
We faced this issue in our company and just wanted to share our cause and solution to this.
In our case, the cause was:
- There was a mismatch of certs between the control-plane nodes (let’s call them m1, m2, and m3). Nodes m1 and m2 agreed on their certs, but m3 had incompatible certs.
- Not long ago m3 was recreated and a fresh install was added to the cluster with newly generated certs. That’s when it got the incompatible certs.
- Certs are used in JWT validation, such as validating the serviceaccount’s tokens, as seen in the logs of this PR.
- All serviceaccount tokens seems to have been generated by m1 or m2, no matter how many times we tried regenerating them.
- The loadbalancer (outside of k8s) was favoring m3, so no matter how many request we did to the loadbalancer we always got «Unauthorized» with the serviceaccount’ token.
- This all meant that the tokens was consistently failing validation, which was quite tedious to debug.
Our solution was:
- Force regenerate all certificates for the control-plane nodes (m1, m2, m3)
- Regenerate all serviceaccount’s tokens in all namespaces (by deleting all the serviceaccount’s secrets, letting Kubernetes create new ones)
- Restart all pods and kube-apiserver and other similar services. We did this by just rebooting the machines, just to make sure everything is restarted. This forces all apps to use the newly generated serviceaccount token secrets.
- We’re using our own in-house «distribution» of Kubernetes that we created using our own Ansible playbooks. There’s a big chance this cert-inconsistency wouldn’t happen with e.g Kubespray or Rancher.
Hopefully this could nudge some future admins in the right direction, and also hopefully save some hours of debugging.
Источник
square/go-jose: error in cryptographic primitive #3356
Comments
sfxworks commented Nov 23, 2018 •
Steps to reproduce
- Kubectl reset & kubectl init because you’re trying to learn
- Use kube-flannel
- kubectl apply -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml
- Proxy / SSH Tunnel
- Get the error.
Environment
Observed result
Dashboard reported Internal Server Error (500):
Comments
A solution is to clear the browser’s cache. Takes a good few minutes though.
The text was updated successfully, but these errors were encountered:
jeefy commented Nov 26, 2018
This is caused because cookies for a previous session remain and try to be re-used on a new cluster.
As you said, the solution is to clear the browser’s cache. Another option that I often use is to use an Incognito window whenever accessing resources I know I’ll respawn often.
k8s-ci-robot commented Nov 26, 2018
@jeefy: Closing this issue.
This is caused because cookies for a previous session remain and try to be re-used on a new cluster.
As you said, the solution is to clear the browser’s cache. Another option that I often use is to use an Incognito window whenever accessing resources I know I’ll respawn often.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Источник
square/go-jose: error in cryptographic primitive #2970
Comments
yellowred commented Apr 18, 2018
Steps to reproduce
Environment
Observed result
Dashboard reported Internal Server Error (500):
The text was updated successfully, but these errors were encountered:
yellowred commented Apr 18, 2018
After I had deleted all the pods it started to work. So it was either resource caused or just needed more time to initialise. Gonna keep this issue for informational reasons, but closed as it is solved for me.
tanmaykm commented Aug 26, 2018
Faced it too. It was because of a stale browser cookie in my case.
rajatrai commented Dec 13, 2018
Faced it too, a bit annoying. In my case, I was using chrome and started a new window in incognito mode and it worked fine.
xiaoanyunfei commented Dec 18, 2018
It maybe because your secret token was not encrypted and decrypted by the same pair private key and public key. kube-controller-manager generates the token, and kube-apiserver detects the token. the private key is specified by —service-account-key-file If unspecified, —tls-private-key-file is used.
rajatrai commented Dec 18, 2018
It maybe because your secret token was not encrypted and decrypted by the same pair private key and public key. kube-controller-manager generates the token, and kube-apiserver detects the token. the private key is specified by —service-account-key-file If unspecified, —tls-private-key-file is used.
It didn’t get that far where it takes the token 😉
njfix6 commented Apr 19, 2019
Yes also get this issue. It happened to me when I switched between kubernetes clusters and I think it doesn’t handle the token properly. If I log out and log back in it works.
LevonBecker commented Jun 28, 2019
Had the same issue in Chrome. Clear Browser data fixes it.
aaronhadoop commented Dec 4, 2021
I solve the same question by login again and input the TOKEN again.
farhanJR commented Mar 4, 2022
Faced it too. It was because of a stale browser cookie in my case.
Footer
© 2023 GitHub, Inc.
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Источник
What happened?
I doubt whether the API configuration is wrong, because the created serviceaccount does not seem to be mounted in the pod container
[[email protected] /run/secrets/kubernetes.io/serviceaccount]$ curl --cacert ./ca.crt -H "Authorization: Bearer $(cat ./token)" https://10.1.1.100:6443/namespace/$(cat ./namespace)/
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
apiserver log
E0505 15:59:49.432822 7867 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, square/go-jose: error in cryptographic primitive]"
What did you expect to happen?
All pods can operate normally. Please help analyze whether there are errors
How can we reproduce it (as minimally and precisely as possible)?
try to apply the yaml file I supply blow.
apiVersion: v1
kind: ServiceAccount
metadata:
name: test
namespace: default
automountServiceAccountToken: true
---
apiVersion: v1
kind: Pod
metadata:
name: testwithsa
namespace: default
spec:
containers:
- name: amdinbox
image: ikubernetes/admin-toolbox:v1.0
imagePullPolicy: Always
serviceAccountName: test
kube-apserver args
[[email protected] ~]# cat /opt/kubernetes/cfg/kube-apiserver.conf
KUBE_APISERVER_OPTS="--logtostderr=false
--v=2
--log-dir=/opt/kubernetes/logs
--etcd-servers=https://10.1.1.100:2379,https://10.1.1.130:2379,https://10.1.1.120:2379
--bind-address=10.1.1.100
--secure-port=6443
--advertise-address=10.1.1.100
--allow-privileged=true
--service-cluster-ip-range=192.168.0.0/16
--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,NodeRestriction
--authorization-mode=RBAC,Node
--enable-bootstrap-token-auth=true
--token-auth-file=/opt/kubernetes/cfg/token.csv
--service-node-port-range=30000-32767
--kubelet-client-certificate=/opt/kubernetes/ssl/server.pem
--kubelet-client-key=/opt/kubernetes/ssl/server-key.pem
--client-ca-file=/opt/kubernetes/ssl/ca.pem
--service-account-key-file=/opt/kubernetes/ssl/ca-key.pem
--etcd-cafile=/opt/kubernetes/ssl/etcd/ca.pem
--etcd-certfile=/opt/kubernetes/ssl/etcd/server.pem
--etcd-keyfile=/opt/kubernetes/ssl/etcd/server-key.pem
--service-account-issuer=api
--service-account-signing-key-file=/opt/kubernetes/ssl/server-key.pem
--tls-cert-file=/opt/kubernetes/ssl/server.pem
--tls-private-key-file=/opt/kubernetes/ssl/server-key.pem
--proxy-client-cert-file=/opt/kubernetes/ssl/server.pem
--proxy-client-key-file=/opt/kubernetes/ssl/server-key.pem
--requestheader-allowed-names=kubernetes
--requestheader-client-ca-file=/opt/kubernetes/ssl/ca.pem
--requestheader-extra-headers-prefix=X-Remote-Extra-
--requestheader-group-headers=X-Remote-Group
--requestheader-username-headers=X-Remote-User
--enable-aggregator-routing=true
--audit-log-maxage=30
--audit-log-maxbackup=3
--audit-log-maxsize=100
--audit-log-path=/opt/kubernetes/logs/k8s-audit.log"
kube-controller-manager args
[[email protected] ~]# cat /opt/kubernetes/cfg/kube-controller-manager.conf
KUBE_CONTROLLER_MANAGER_OPTS="--logtostderr=false
--v=2
--log-dir=/opt/kubernetes/logs
--leader-elect=true
--kubeconfig=/opt/kubernetes/cfg/kube-controller-manager.kubeconfig
--cluster-cidr=172.7.0.0/16
--service-cluster-ip-range=192.168.0.0/16
--cluster-signing-cert-file=/opt/kubernetes/ssl/ca.pem
--cluster-signing-key-file=/opt/kubernetes/ssl/ca-key.pem
--root-ca-file=/opt/kubernetes/ssl/ca.pem
--service-account-private-key-file=/opt/kubernetes/ssl/ca-key.pem
--cluster-signing-duration=87600h0m0s"
kube-scheduler.conf args
KUBE_SCHEDULER_OPTS="--logtostderr=false
--v=2
--log-dir=/opt/kubernetes/logs
--leader-elect
--kubeconfig=/opt/kubernetes/cfg/kube-scheduler.kubeconfig
--bind-address=127.0.0.1"
Anything else we need to know?
kube-co-m log
Log file created at: 2022/05/05 13:17:27
Running on machine: k8s-master1
Binary: Built with gc go1.17.9 for linux/amd64
Log line format: [IWEF]mmdd hh:mm:ss.uuuuuu threadid file:line] msg
F0505 13:17:27.963288 7994 controllermanager.go:298] leaderelection lost
goroutine 125 [running]:
k8s.io/kubernetes/vendor/k8s.io/klog/v2.stacks(0x1)
/workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:1038 +0x8a
k8s.io/kubernetes/vendor/k8s.io/klog/v2.(*loggingT).output(0x779aa60, 0x3, 0x0, 0xc000641810, 0x0, {0x5f13e3a, 0x0}, 0xc000757b00, 0x0)
/workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:987 +0x5fd
k8s.io/kubernetes/vendor/k8s.io/klog/v2.(*loggingT).printf(0x0, 0x0, 0x0, {0x0, 0x0}, {0x471dbdf, 0x13}, {0x0, 0x0, 0x0})
/workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:753 +0x1c5
k8s.io/kubernetes/vendor/k8s.io/klog/v2.Fatalf(...)
/workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/klog/v2/klog.go:1532
k8s.io/kubernetes/cmd/kube-controller-manager/app.Run.func4()
/workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/cmd/kube-controller-manager/app/controllermanager.go:298 +0x55
k8s.io/kubernetes/vendor/k8s.io/client-go/tools/leaderelection.(*LeaderElector).Run.func1()
/workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/client-go/tools/leaderelection/leaderelection.go:203 +0x1f
k8s.io/kubernetes/vendor/k8s.io/client-go/tools/leaderelection.(*LeaderElector).Run(0xc0000c98c0, {0x4e4a428, 0xc000140008})
/workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/client-go/tools/leaderelection/leaderelection.go:213 +0x189
k8s.io/kubernetes/vendor/k8s.io/client-go/tools/leaderelection.RunOrDie({0x4e4a428, 0xc000140008}, {{0x4e911f0, 0xc000261040}, 0x37e11d600, 0x2540be400, 0x77359400, {0xc0007ab200, 0x48b9bb8, 0x0}, ...})
/workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/vendor/k8s.io/client-go/tools/leaderelection/leaderelection.go:226 +0x94
k8s.io/kubernetes/cmd/kube-controller-manager/app.leaderElectAndRun(0xc000128538, {0xc0000b5ef0, 0x30}, 0xc00000d3e0, {0x46f5b3d, 0x6}, {0x4730b73, 0x17}, {0xc0007ab200, 0x48b9bb8, ...})
/workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/cmd/kube-controller-manager/app/controllermanager.go:718 +0x2c5
created by k8s.io/kubernetes/cmd/kube-controller-manager/app.Run
/workspace/src/k8s.io/kubernetes/_output/dockerized/go/src/k8s.io/kubernetes/cmd/kube-controller-manager/app/controllermanager.go:283 +0x7c5
kube-api log
E0505 15:54:18.319100 7867 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, square/go-jose: error in cryptographic primitive]"
E0505 15:55:27.574617 7867 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, square/go-jose: error in cryptographic primitive]"
I0505 15:56:24.576807 7867 controller.go:611] quota admission added evaluator for: rolebindings.rbac.authorization.k8s.io
E0505 15:56:30.742378 7867 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, square/go-jose: error in cryptographic primitive]"
E0505 15:59:49.432822 7867 authentication.go:63] "Unable to authenticate the request" err="[invalid bearer token, square/go-jose: error in cryptographic primitive]"
W0505 16:02:35.263506 7867 watcher.go:229] watch chan error: etcdserver: mvcc: required revision has been compacted
W0505 16:10:01.585297 7867 watcher.go:229] watch chan error: etcdserver: mvcc: required revision has been compacted
W0505 16:20:20.157816 7867 watcher.go:229] watch chan error: etcdserver: mvcc: required revision has been compacted
api-servceca.json
{
"CN": "kubernetes",
"hosts": [
"192.168.0.1",
"127.0.0.1",
"kubernetes",
"kubernetes.default",
"kubernetes.default.svc",
"kubernetes.default.svc.cluster",
"kubernetes.default.svc.cluster.local",
"127.0.0.1",
"192.168.0.1",
"10.1.1.50",
"10.1.1.60",
"10.1.1.100",
"10.1.1.110",
"10.1.1.120",
"10.1.1.130",
"10.1.1.150"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"L": "BeiJing",
"ST": "BeiJing",
"O": "k8s",
"OU": "System"
}
]
}
Kubernetes version
$ kubectl version Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.6", GitCommit:"ad3338546da947756e8a88aa6822e9c11e7eac22", GitTreeState:"clean", BuildDate:"2022-04-14T08:49:13Z", GoVersion:"go1.17.9", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.6", GitCommit:"ad3338546da947756e8a88aa6822e9c11e7eac22", GitTreeState:"clean", BuildDate:"2022-04-14T08:43:11Z", GoVersion:"go1.17.9", Compiler:"gc", Platform:"linux/amd64"} # paste output here
Cloud provider
OS version
# On Linux: $ cat /etc/os-release CentOS Linux release 7.9.2009 (Core) # paste output here $ uname -a Linux k8s-master1 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux # paste output here # On Windows: C:> wmic os get Caption, Version, BuildNumber, OSArchitecture # paste output here
Install tools
Container runtime (CRI) and version (if applicable)
Related plugins (CNI, CSI, …) and versions (if applicable)
The authentication failed in my visit. I suspect there is an error in the args configuration of my api-server. Can I have a look at your Kube-apiserver args?
Yeah, sure, i searched but nothing related to this error, find the logs below:
I0513 04:59:58.560210 1 trace.go:205] Trace[1788797480]: "Update" url:/apis/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/ubuntu-focal,user-agent:Go-http-client/2.0,audit-id:d5a590ba-f095-496f-b601-52f141a6553f,client:192.168.33.10,accept:application/vnd.kubernetes.protobuf,application/json,protocol:HTTP/2.0 (13-May-2022 04:59:57.994) (total time: 565ms):
Trace[1788797480]: ---"Object stored in database" 565ms (04:59:58.559)
Trace[1788797480]: [565.658724ms] [565.658724ms] END
I0513 05:30:53.782883 1 trace.go:205] Trace[1078522363]: "GuaranteedUpdate etcd3" type:*coordination.Lease (13-May-2022 05:30:53.072) (total time: 710ms):
Trace[1078522363]: ---"Transaction committed" 709ms (05:30:53.782)
Trace[1078522363]: [710.270186ms] [710.270186ms] END
I0513 05:30:53.783495 1 trace.go:205] Trace[755383581]: "Update" url:/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler,user-agent:kube-scheduler/v1.23.3 (linux/amd64) kubernetes/816c97a/leader-election,audit-id:00c799f9-145b-4417-a25e-4631a39f392a,client:192.168.33.10,accept:application/vnd.kubernetes.protobuf, */*,protocol:HTTP/2.0 (13-May-2022 05:30:53.072) (total time: 711ms):
Trace[755383581]: ---"Object stored in database" 710ms (05:30:53.782)
Trace[755383581]: [711.064733ms] [711.064733ms] END
I0513 05:30:53.788535 1 trace.go:205] Trace[1806163751]: "Get" url:/apis/coordination.k8s.io/v1/namespaces/tigera-operator/leases/operator-lock,user-agent:operator/v0.0.0 (linux/amd64) kubernetes/$Format/leader-election,audit-id:a1fd882f-1c57-4749-88ea-0dd209dab8f8,client:192.168.33.12,accept:application/json, */*,protocol:HTTP/2.0 (13-May-2022 05:30:53.069) (total time: 718ms):
Trace[1806163751]: ---"About to write a response" 718ms (05:30:53.788)
Trace[1806163751]: [718.497403ms] [718.497403ms] END
I0513 05:41:28.671359 1 trace.go:205] Trace[1891472725]: "Get" url:/api/v1/namespaces/tigera-operator/configmaps/operator-lock,user-agent:operator/v0.0.0 (linux/amd64) kubernetes/$Format/leader-election,audit-id:ffcfee99-46cb-4359-8def-e8bca5ac349d,client:192.168.33.12,accept:application/json, */*,protocol:HTTP/2.0 (13-May-2022 05:41:27.653) (total time: 1017ms):
Trace[1891472725]: ---"About to write a response" 1017ms (05:41:28.671)
Trace[1891472725]: [1.017689916s] [1.017689916s] END
I0513 06:05:24.754839 1 trace.go:205] Trace[2010102524]: "GuaranteedUpdate etcd3" type:*v1.Endpoints (13-May-2022 06:05:24.198) (total time: 556ms):
Trace[2010102524]: ---"Transaction committed" 553ms (06:05:24.754)
Trace[2010102524]: [556.751999ms] [556.751999ms] END
I0513 06:05:24.758168 1 trace.go:205] Trace[951546270]: "GuaranteedUpdate etcd3" type:*coordination.Lease (13-May-2022 06:05:24.203) (total time: 554ms):
Trace[951546270]: ---"Transaction committed" 552ms (06:05:24.758)
Trace[951546270]: [554.392451ms] [554.392451ms] END
I0513 06:05:24.758853 1 trace.go:205] Trace[879006556]: "Update" url:/apis/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/workernode2,user-agent:Go-http-client/2.0,audit-id:93dce897-f357-4170-b914-665793262be0,client:192.168.33.12,accept:application/vnd.kubernetes.protobuf,application/json,protocol:HTTP/2.0 (13-May-2022 06:05:24.202) (total time: 556ms):
Trace[879006556]: ---"Object stored in database" 554ms (06:05:24.758)
Trace[879006556]: [556.169287ms] [556.169287ms] END
I0513 06:14:47.851732 1 trace.go:205] Trace[1703152084]: "GuaranteedUpdate etcd3" type:*coordination.Lease (13-May-2022 06:14:46.979) (total time: 872ms):
Trace[1703152084]: ---"Transaction committed" 870ms (06:14:47.851)
Trace[1703152084]: [872.412302ms] [872.412302ms] END
I0513 06:14:47.852484 1 trace.go:205] Trace[1133090392]: "Update" url:/apis/coordination.k8s.io/v1/namespaces/kube-node-lease/leases/workernode2,user-agent:Go-http-client/2.0,audit-id:90327a03-fd6a-45ce-b82a-15577643a5e2,client:192.168.33.12,accept:application/vnd.kubernetes.protobuf,application/json,protocol:HTTP/2.0 (13-May-2022 06:14:46.978) (total time: 873ms):
Trace[1133090392]: ---"Object stored in database" 872ms (06:14:47.851)
Trace[1133090392]: [873.569866ms] [873.569866ms] END
I0513 06:14:47.859790 1 trace.go:205] Trace[1526720283]: "Get" url:/apis/coordination.k8s.io/v1/namespaces/tigera-operator/leases/operator-lock,user-agent:operator/v0.0.0 (linux/amd64) kubernetes/$Format/leader-election,audit-id:3a1d2271-21e2-4597-aeed-68887314915a,client:192.168.33.12,accept:application/json, */*,protocol:HTTP/2.0 (13-May-2022 06:14:46.802) (total time: 1057ms):
Trace[1526720283]: ---"About to write a response" 1057ms (06:14:47.859)
Trace[1526720283]: [1.057418528s] [1.057418528s] END
I0513 06:14:47.862724 1 trace.go:205] Trace[1873209453]: "GuaranteedUpdate etcd3" type:*coordination.Lease (13-May-2022 06:14:46.798) (total time: 1064ms):
Trace[1873209453]: ---"Transaction committed" 1062ms (06:14:47.862)
Trace[1873209453]: [1.064155678s] [1.064155678s] END
I0513 06:14:47.863050 1 trace.go:205] Trace[1394624123]: "Update" url:/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager,user-agent:kube-controller-manager/v1.23.3 (linux/amd64) kubernetes/816c97a/leader-election,audit-id:ac1588f9-aa44-4914-abac-5712136e21ca,client:192.168.33.10,accept:application/vnd.kubernetes.protobuf, */*,protocol:HTTP/2.0 (13-May-2022 06:14:46.798) (total time: 1064ms):
Trace[1394624123]: ---"Object stored in database" 1064ms (06:14:47.862)
Trace[1394624123]: [1.064637133s] [1.064637133s] END
I0513 06:24:24.814528 1 trace.go:205] Trace[856723605]: "GuaranteedUpdate etcd3" type:*coordination.Lease (13-May-2022 06:24:24.295) (total time: 519ms):
Trace[856723605]: ---"Transaction committed" 518ms (06:24:24.814)
Trace[856723605]: [519.16505ms] [519.16505ms] END
I0513 06:24:24.814906 1 trace.go:205] Trace[118813325]: "Update" url:/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-controller-manager,user-agent:kube-controller-manager/v1.23.3 (linux/amd64) kubernetes/816c97a/leader-election,audit-id:9db7821c-a986-4058-bf09-196c1cdd5d36,client:192.168.33.10,accept:application/vnd.kubernetes.protobuf, */*,protocol:HTTP/2.0 (13-May-2022 06:24:24.295) (total time: 519ms):
Trace[118813325]: ---"Object stored in database" 519ms (06:24:24.814)
Trace[118813325]: [519.649593ms] [519.649593ms] END
I0513 06:31:14.336585 1 trace.go:205] Trace[1054369249]: "GuaranteedUpdate etcd3" type:*coordination.Lease (13-May-2022 06:31:13.731) (total time: 605ms):
Trace[1054369249]: ---"Transaction committed" 604ms (06:31:14.336)
Trace[1054369249]: [605.39498ms] [605.39498ms] END
I0513 06:31:14.336901 1 trace.go:205] Trace[832323090]: "Update" url:/apis/coordination.k8s.io/v1/namespaces/kube-system/leases/kube-scheduler,user-agent:kube-scheduler/v1.23.3 (linux/amd64) kubernetes/816c97a/leader-election,audit-id:92ac42f9-a1d6-4913-849e-227e7e811df1,client:192.168.33.10,accept:application/vnd.kubernetes.protobuf, */*,protocol:HTTP/2.0 (13-May-2022 06:31:13.731) (total time: 605ms):
Trace[832323090]: ---"Object stored in database" 605ms (06:31:14.336)
Trace[832323090]: [605.83612ms] [605.83612ms] END
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.