Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm 1.8.0 can't upgrade v1.7.x to another 1.7.x #475

Closed
kad opened this issue Oct 2, 2017 · 3 comments
Closed

kubeadm 1.8.0 can't upgrade v1.7.x to another 1.7.x #475

kad opened this issue Oct 2, 2017 · 3 comments
Assignees
@kad
Labels
area/upgrades kind/bug Categorizes issue or PR as related to a bug.
Milestone
v1.8

Comments

@kad
Copy link
Member

kad commented Oct 2, 2017

Is this a BUG REPORT or FEATURE REQUEST?

BUG REPORT

Upgrading from 1.7.x to another 1.7 release using kubeadm v1.8.0 leads to errors.

Versions

kubeadm version (use kubeadm version): 1.7.5 and 1.8.0

Environment:

  • Kubernetes version (use kubectl version): 1.8.0
  • Cloud provider or hardware configuration: none
  • OS (e.g. from /etc/os-release): CentOS 7

What happened?

install kubernetes 1.7.x (e.g. 1.7.3) cluster using kubeadm 1.7.x
install kubeadm 1.8.0
try "kubeadm upgrade apply v1.7.7"
you will get errors like below:

....
[bootstraptoken] Configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstraptoken] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[addons] Applied essential addon: kube-dns
[addons] Applied essential addon: kube-proxy
[upgrade/postupgrade] FATAL post-upgrade error: [unable to update RBAC clusterrolebinding: ClusterRoleBinding.rbac.authorization.k8s.io "kubeadm:node-autoapprove-bootstrap" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"ClusterRole", Name:"system:certificates.k8s.io:certificatesigningrequests:nodeclient"}: cannot change roleRef, unable to update RBAC rolebinding: RoleBinding.rbac.authorization.k8s.io "kubeadm:bootstrap-signer-clusterinfo" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"Role", Name:"kubeadm:bootstrap-signer-clusterinfo"}: cannot change roleRef]

What you expected to happen?

upgrade should succeed without errors

How to reproduce it (as minimally and precisely as possible)?

  • install kubeadm 1.7.5
  • kubeadm init --kubernetes-version v1.7.3
  • install kubeadm 1.8.0
  • kubeadm upgrade apply v1.7.7

Anything else we need to know?
@kad kad mentioned this issue Oct 2, 2017
Closed
@kad
Copy link
Member Author

kad commented Oct 2, 2017

/assign kad

kad added a commit to kad/kubernetes that referenced this issue Oct 2, 2017
@kad
Don't try to migrate to new roles and rolebinding within 1.7 upgrades
c24087a 
Fixes: kubernetes/kubeadm#475
@kad kad mentioned this issue Oct 2, 2017
Merged
@jamiehannaford jamiehannaford added kind/bug Categorizes issue or PR as related to a bug. area/upgrades labels Oct 6, 2017
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Oct 10, 2017
Merge pull request #53338 from kad/fix-1.7-upgrades
3a1e695 
Automatic merge from submit-queue.

Don't try to migrate to new roles and rolebinding within 1.7 upgrades

**What this PR does / why we need it**:

If user uses kubeadm 1.8.0 to upgrade within 1.7.x versions, don't try to migrate to new RBAC rules and names. It will lead to errors like described in kubernetes/kubeadm#475

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: kubernetes/kubeadm#475

**Special notes for your reviewer**:

**Release note**:
```release-note
- kubeadm 1.8 now properly handles upgrades from to 1.7.x to newer release in 1.7 branch
```
@luxas luxas added this to the v1.8 milestone Oct 20, 2017
@luxas
Copy link
Member

luxas commented Oct 20, 2017

This was fixed, thanks @kad!

@luxas luxas closed this as completed Oct 20, 2017
@RenaultAI
Copy link

In case anyone comes across the above mentioned errors during a kubeadm upgrade, this is the work around I used to get my kubeadm upgrade apply to succeed:

kubectl delete clusterrolebindings kubeadm:node-autoapprove-bootstrap
kubectl delete rolebinding -n kube-public kubeadm:bootstrap-signer-clusterinfo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kad kad

Labels
area/upgrades kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
v1.8
Development

No branches or pull requests
4 participants
@kad @jamiehannaford @luxas @RenaultAI