我的书签
添加书签
移除书签Troubleshooting
These checks only run when the —pre flag is set. This flag is intended foruse prior to running linkerd install, to verify your cluster is prepared forinstallation.
Example failure:
By default linkerd install will create a linkerd namespace. Prior toinstallation, that namespace should not exist. To check with a differentnamespace, run:
linkerd check --pre --linkerd-namespace linkerd-test
√ can create Kubernetes resources
The subsequent checks in this section validate whether you have permission tocreate the Kubernetes resources required for Linkerd installation, specifically:
√ can create Namespaces√ can create ClusterRoles√ can create ClusterRoleBindings√ can create CustomResourceDefinitions
The “pre-kubernetes-setup” checks
These checks only run when the —pre flag is set This flag is intended foruse prior to running linkerd install, to verify you have the correct RBACpermissions to install Linkerd.
√ can create Namespaces√ can create ClusterRoles√ can create ClusterRoleBindings√ can create CustomResourceDefinitions√ can create PodSecurityPolicies√ can create ServiceAccounts√ can create Services√ can create Deployments√ can create ConfigMaps
√ no clock skew detected
This check verifies whether there is clock skew between the system runningthe linkerd install command and the Kubernetes node(s), causingpotential issues.
The “pre-kubernetes-capability” checks
These checks only run when the —pre flag is set. This flag is intended foruse prior to running linkerd install, to verify you have the correctKubernetes capability permissions to install Linkerd.
√ has NET_ADMIN capability
Example failure:
× has NET_ADMIN capabilityfound 3 PodSecurityPolicies, but none provide NET_ADMINsee https://linkerd.io/checks/#pre-k8s-cluster-net-admin for hints
Linkerd installation requires the NET_ADMIN Kubernetes capability, to allowfor modification of iptables.
For more information, see the Kubernetes documentation on,Security Contexts,and the .
√ has NET_RAW capability
Example failure:
× has NET_RAW capabilityfound 3 PodSecurityPolicies, but none provide NET_RAWsee https://linkerd.io/checks/#pre-k8s-cluster-net-raw for hints
Linkerd installation requires the NET_RAW Kubernetes capability, to allow formodification of iptables.
For more information, see the Kubernetes documentation on,Security Contexts,and the .
The “pre-linkerd-global-resources” checks
These checks only run when the —pre flag is set. This flag is intended foruse prior to running linkerd install, to verify you have not already installedthe Linkerd control plane.
√ no ClusterRoles exist√ no ClusterRoleBindings exist√ no CustomResourceDefinitions exist√ no MutatingWebhookConfigurations exist√ no ValidatingWebhookConfigurations exist√ no PodSecurityPolicies exist
If you do not expect to have the permission for a full cluster install, try the—single-namespace flag, which validates if Linkerd can be installed in asingle namespace, with limited cluster access:
linkerd check --pre --single-namespace
√ control plane namespace exists
× control plane namespace existsThe "linkerd" namespace does not exist
In —single-namespace mode, linkerd check assumes that the installer doesnot have permission to create a namespace, so the installation namespace mustalready exist.
By default the linkerd namespace is used. To use a different namespace run:
linkerd check --pre --single-namespace --linkerd-namespace linkerd-test
√ can create Kubernetes resources
The subsequent checks in this section validate whether you have permission tocreate the Kubernetes resources required for Linkerd —single-namespaceinstallation, specifically:
√ can create Roles√ can create RoleBindings
For more information on cluster access, see the section above.
The “kubernetes-api” checks
Example failures:
× can initialize the clienterror configuring Kubernetes API client: stat badconfig: no such file or directoryGet https://8.8.8.8/version: dial tcp 8.8.8.8:443: i/o timeout
Ensure that your system is configured to connect to a Kubernetes cluster.Validate that the KUBECONFIG environment variable is set properly, and/or~/.kube/config points to a valid cluster.
For more information see these pages in the Kubernetes Documentation:
- Configure Access to Multiple ClustersAlso verify that these command works:
kubectl config viewkubectl cluster-infokubectl version
Another example failure:
✘ can query the Kubernetes APIGet REDACTED/version: x509: certificate signed by unknown authority
As an (unsafe) workaround to this, you may try:
kubectl config set-cluster ${KUBE_CONTEXT} --insecure-skip-tls-verify=true \--server=${KUBE_CONTEXT}
The “kubernetes-version” checks
√ is running the minimum Kubernetes API version
Example failure:
× is running the minimum Kubernetes API versionKubernetes is on version [1.7.16], but version [1.12.0] or more recent is required
Linkerd requires at least version 1.12.0. Verify your cluster version with:
kubectl version
√ is running the minimum kubectl version
Example failure:
× is running the minimum kubectl versionkubectl is on version [1.9.1], but version [1.12.0] or more recent is requiredsee https://linkerd.io/checks/#kubectl-version for hints
Linkerd requires at least version 1.12.0. Verify your kubectl version with:
kubectl version --client --short
To fix please update kubectl version.
For more information on upgrading Kubernetes, see the page in the KubernetesDocumentation onUpgrading a cluster
The “linkerd-config” checks
This category of checks validates that Linkerd’s cluster-wide RBAC and relatedresources have been installed. These checks run via a default linkerd check,and also in the context of a multi-stage setup, for example:
# install cluster-wide resources (first stage)linkerd install config | kubectl apply -f -# validate successful cluster-wide resources installationlinkerd check config# install Linkerd control planelinkerd install control-plane | kubectl apply -f -# validate successful control-plane installationlinkerd check
√ control plane Namespace exists
Example failure:
× control plane Namespace existsThe "foo" namespace does not existsee https://linkerd.io/checks/#l5d-existence-ns for hints
Ensure the Linkerd control plane namespace exists:
kubectl get ns
The default control plane namespace is linkerd. If you installed Linkerd intoa different namespace, specify that in your check command:
linkerd check --linkerd-namespace linkerdtest
√ control plane ClusterRoles exist
Example failure:
× control plane ClusterRoles existmissing ClusterRoles: linkerd-linkerd-controllersee https://linkerd.io/checks/#l5d-existence-cr for hints
$ kubectl get clusterroles | grep linkerdlinkerd-linkerd-controller 9dlinkerd-linkerd-identity 9dlinkerd-linkerd-prometheus 9dlinkerd-linkerd-proxy-injector 20dlinkerd-linkerd-sp-validator 9d
Also ensure you have permission to create ClusterRoles:
$ kubectl auth can-i create clusterrolesyes
Example failure:
× control plane ClusterRoleBindings existmissing ClusterRoleBindings: linkerd-linkerd-controllersee https://linkerd.io/checks/#l5d-existence-crb for hints
Ensure the Linkerd ClusterRoleBindings exist:
Also ensure you have permission to create ClusterRoleBindings:
$ kubectl auth can-i create clusterrolebindingsyes
√ control plane ServiceAccounts exist
Example failure:
× control plane ServiceAccounts existmissing ServiceAccounts: linkerd-controllersee https://linkerd.io/checks/#l5d-existence-sa for hints
Ensure the Linkerd ServiceAccounts exist:
$ kubectl -n linkerd get serviceaccountsNAME SECRETS AGEdefault 1 23mlinkerd-controller 1 23mlinkerd-grafana 1 23mlinkerd-identity 1 23mlinkerd-prometheus 1 23mlinkerd-proxy-injector 1 7mlinkerd-sp-validator 1 23mlinkerd-web 1 23m
Also ensure you have permission to create ServiceAccounts in the Linkerdnamespace:
$ kubectl -n linkerd auth can-i create serviceaccountsyes
√ control plane CustomResourceDefinitions exist
Example failure:
× control plane CustomResourceDefinitions existmissing CustomResourceDefinitions: serviceprofiles.linkerd.iosee https://linkerd.io/checks/#l5d-existence-crd for hints
Ensure the Linkerd CRD exists:
$ kubectl get customresourcedefinitionsNAME CREATED ATserviceprofiles.linkerd.io 2019-04-25T21:47:31Z
Also ensure you have permission to create CRDs:
$ kubectl auth can-i create customresourcedefinitionsyes
√ control plane MutatingWebhookConfigurations exist
Example failure:
× control plane MutatingWebhookConfigurations existmissing MutatingWebhookConfigurations: linkerd-proxy-injector-webhook-configsee https://linkerd.io/checks/#l5d-existence-mwc for hints
Ensure the Linkerd MutatingWebhookConfigurations exists:
$ kubectl get mutatingwebhookconfigurations | grep linkerdlinkerd-proxy-injector-webhook-config 2019-07-01T13:13:26Z
Also ensure you have permission to create MutatingWebhookConfigurations:
$ kubectl auth can-i create mutatingwebhookconfigurationsyes
√ control plane ValidatingWebhookConfigurations exist
Example failure:
× control plane ValidatingWebhookConfigurations existmissing ValidatingWebhookConfigurations: linkerd-sp-validator-webhook-configsee https://linkerd.io/checks/#l5d-existence-vwc for hints
Ensure the Linkerd ValidatingWebhookConfiguration exists:
$ kubectl get validatingwebhookconfigurations | grep linkerd
Also ensure you have permission to create ValidatingWebhookConfigurations:
$ kubectl auth can-i create validatingwebhookconfigurationsyes
√ control plane PodSecurityPolicies exist
Example failure:
× control plane PodSecurityPolicies existmissing PodSecurityPolicies: linkerd-linkerd-control-planesee https://linkerd.io/checks/#l5d-existence-psp for hints
Ensure the Linkerd PodSecurityPolicy exists:
$ kubectl get podsecuritypolicies | grep linkerdlinkerd-linkerd-control-plane false NET_ADMIN,NET_RAW RunAsAny RunAsAny MustRunAs MustRunAs true configMap,emptyDir,secret,projected,downwardAPI,persistentVolumeClaim
Also ensure you have permission to create PodSecurityPolicies:
$ kubectl auth can-i create podsecuritypoliciesyes
√ ‘linkerd-config’ config map exists
Example failure:
× 'linkerd-config' config map existsmissing ConfigMaps: linkerd-configsee https://linkerd.io/checks/#l5d-existence-linkerd-config for hints
Ensure the Linkerd ConfigMap exists:
$ kubectl -n linkerd get configmap/linkerd-configNAME DATA AGElinkerd-config 3 61m
Also ensure you have permission to create ConfigMaps:
$ kubectl -n linkerd auth can-i create configmap
√ control plane replica sets are ready
This failure occurs when one of Linkerd’s ReplicaSets fails to schedule a pod.
For more information, see the Kubernetes documentation on.
√ no unschedulable pods
Example failure:
× no unschedulable podslinkerd-prometheus-6b668f774d-j8ncr: 0/1 nodes are available: 1 Insufficient cpu.see https://linkerd.io/checks/#l5d-existence-unschedulable-pods for hints
For more information, see the Kubernetes documentation on the.
√ controller pod is running
Example failure:
× controller pod is runningNo running pods for "linkerd-controller"
Note, it takes a little bit for pods to be scheduled, images to be pulled andeverything to start up. If this is a permanent error, you’ll want to validatethe state of the controller pod with:
$ kubectl -n linkerd get po --selector linkerd.io/control-plane-component=controllerNAME READY STATUS RESTARTS AGElinkerd-controller-7bb8ff5967-zg265 4/4 Running 0 40m
Check the controller’s logs with:
linkerd logs --control-plane-component controller
√ can initialize the client
Example failure:
× can initialize the clientparse http:// bad/: invalid character " " in host name
Verify that a well-formed —api-addr parameter was specified, if any:
linkerd check --api-addr " bad"
Example failure:
× can query the control plane APIPost http://8.8.8.8/api/v1/Version: context deadline exceeded
This check indicates a connectivity failure between the cli and the Linkerdcontrol plane. To verify connectivity, manually connect to the controller pod:
…and then curl the /metrics endpoint:
curl localhost:9995/metrics
The “linkerd-api” checks
√ control plane pods are ready
Example failure:
× control plane pods are readyNo running pods for "linkerd-web"
$ kubectl -n linkerd get poNAME READY STATUS RESTARTS AGEpod/linkerd-controller-b8c4c48c8-pflc9 4/4 Running 0 45mpod/linkerd-grafana-776cf777b6-lg2dd 2/2 Running 0 1hpod/linkerd-prometheus-74d66f86f6-6t6dh 2/2 Running 0 1hpod/linkerd-web-5f6c45d6d9-9hd9j 2/2 Running 0 3m
√ control plane self-check
Example failure:
× control plane self-checkPost https://localhost:6443/api/v1/namespaces/linkerd/services/linkerd-controller-api:http/proxy/api/v1/SelfCheck: context deadline exceeded
Check the logs on the control-plane’s public API:
linkerd logs --control-plane-component controller --container public-api
√ [kubernetes] control plane can talk to Kubernetes
Example failure:
× [kubernetes] control plane can talk to KubernetesError calling the Kubernetes API: FAIL
Check the logs on the control-plane’s public API:
linkerd logs --control-plane-component controller --container public-api
√ [prometheus] control plane can talk to Prometheus
Example failure:
× [prometheus] control plane can talk to PrometheusError calling Prometheus from the control plane: FAIL
NoteThis will fail if you have changed your default cluster domain fromcluster.local, see the for moreinformation and potential workarounds.
Validate that the Prometheus instance is up and running:
kubectl -n linkerd get all | grep prometheus
Check the Prometheus logs:
linkerd logs --control-plane-component prometheus
Check the logs on the control-plane’s public API:
linkerd logs --control-plane-component controller --container public-api
The “linkerd-service-profile” checks
Example failure:
‼ no invalid service profilesServiceProfile "bad" has invalid name (must be "<service>.<namespace>.svc.cluster.local")
Validate the structure of your service profiles:
$ kubectl -n linkerd get spNAME AGEbad 51slinkerd-controller-api.linkerd.svc.cluster.local 1m
Example failure:
‼ no invalid service profilesthe server could not find the requested resource (get serviceprofiles.linkerd.io)
Validate that the Service Profile CRD is installed on your cluster and that itslinkerd.io/created-by annotation matches your linkerd version clientversion:
kubectl get crd/serviceprofiles.linkerd.io -o yaml | grep linkerd.io/created-by
If the CRD is missing or out-of-date you can update it:
linkerd upgrade | kubectl apply -f -
The “linkerd-version” checks
√ can determine the latest version
Example failure:
× can determine the latest versionGet https://versioncheck.linkerd.io/version.json?version=edge-19.1.2&uuid=test-uuid&source=cli: context deadline exceeded
Ensure you can connect to the Linkerd version check endpoint from theenvironment the linkerd cli is running:
$ curl "https://versioncheck.linkerd.io/version.json?version=edge-19.1.2&uuid=test-uuid&source=cli"{"stable":"stable-2.1.0","edge":"edge-19.1.2"}
√ cli is up-to-date
Example failure:
‼ cli is up-to-dateis running version 19.1.1 but the latest edge version is 19.1.2
See the page on Upgrading Linkerd.
Example failures:
‼ control plane is up-to-dateis running version 19.1.1 but the latest edge version is 19.1.2‼ control plane and cli versions matchmismatched channels: running stable-2.1.0 but retrieved edge-19.1.2
See the page on .
The “linkerd-data-plane” checks
These checks only run when the —proxy flag is set. This flag is intended foruse after running linkerd inject, to verify the injected proxies are operatingnormally.
√ data plane namespace exists
Example failure:
$ linkerd check --proxy --namespace foo...× data plane namespace existsThe "foo" namespace does not exist
Ensure the —namespace specified exists, or, omit the parameter to check allnamespaces.
√ data plane proxies are ready
Example failure:
× data plane proxies are readyNo "linkerd-proxy" containers found
Ensure you have injected the Linkerd proxy into your application via thelinkerd inject command.
For more information on linkerd inject, seein our Getting Started guide.
√ data plane proxy metrics are present in Prometheus
Example failure:
× data plane proxy metrics are present in PrometheusData plane metrics not found for linkerd/linkerd-controller-b8c4c48c8-pflc9.
Ensure Prometheus can connect to each linkerd-proxy via the Prometheusdashboard:
kubectl -n linkerd port-forward svc/linkerd-prometheus 9090
…and then browse tohttp://localhost:9090/targets, validate thelinkerd-proxy section.
You should see all your pods here. If they are not:
- Prometheus might be experiencing connectivity issues with the k8s api server.Check out the logs and delete the pod to flush any possible transient errors.
√ data plane is up-to-date
Example failure:
‼ data plane is up-to-datelinkerd/linkerd-prometheus-74d66f86f6-6t6dh: is running version 19.1.2 but the latest edge version is 19.1.3
See the page on Upgrading Linkerd.
linkerd/linkerd-web-5f6c45d6d9-9hd9j: is running version 19.1.2 but the latest edge version is 19.1.3
See the page on .
√ data plane proxies certificate match the CA’s certificates
Example failure:
If the trust anchor has changed while data plane proxies were running, theywill need to be restarted in order to refresh this information and usethe latest trust anchor from the Linkerd configuration.
