Silent error getting kube config in-cluster

[benjamin-wright]

Hi, I'm having a really basic problem with getting kube working in cluster with my k3s cluster (v1.18.9-k3s1). I have a very simple application which is basically just the following:

#![feature(proc_macro_hygiene, decl_macro)]

extern crate kube;
extern crate serde;
extern crate serde_json;

use kube::{ Config };

#[tokio::main]
async fn main() -> Result<(), kube::Error> {
    println!("Starting...");

    println!("Getting kube config...");
    let config_result = Config::from_cluster_env(); //This is breaking

    println!("Resolving kube config result...");
    let config = match config_result {
        Ok(config) => config,
        Err(e) => {
            println!("Error getting config {:?}", e);
            return Err(e);
        }
    };

    println!("Finished!");
    Ok(())
}

[dependencies]
kube = { version = "0.43.0", default-features = false, features = ["derive", "native-tls"] }
kube-runtime = { version = "0.43.0", default-features = false, features = [ "native-tls" ] }
k8s-openapi = { version = "0.9.0", default-features = false, features = ["v1_18"] }
serde =  { version = "1.0", features = ["derive"] }
serde_derive = "1.0"
serde_json = "1.0"
tokio = { version = "0.2.22", features = ["full"] }
reqwest = { version = "0.10.8", default-features = false, features = ["json", "gzip", "stream", "native-tls"] }

The output I'm getting is:

[server] Starting...
[server] Getting kube config...
[K8s EVENT: Pod auth-controller-6fb8f87b4d-5stf5 (ns: ponglehub)] Back-off restarting failed container

I'm hoping this is something obvious in my dependencies, but am suspicious that it's a K3S compatibility issue, since I tried using rustls originally and had to switch to native openssl because the k3s in-cluster api server address is an IP address rather than a hostname...

[clux]

It's not a lot the Config::from_cluster_env fn is doing other than reading environment variable.
My first thought is that you might not be have automountServiceAccountToken: true to get the evars in there.

Weird that you are not getting Error information from the call. It should return an Error (and clearly it's crashing). What produces the [server] and [k8s EVENT] output? This doesn't look like straight kubectl logs which probably would have the error.

dependency wise, if you are not using rustls, you can take out the default-features = false on kube and kube-runtime and just pick the features you want (like derive for kube)

[benjamin-wright]

Hi @clux, thanks for getting back to me so quickly. Sorry, the output is from Tilt, which I'm using to deploy and pipe back the logs. But k9s gives a similar story:

Starting...           
Getting kube config...
stream closed         

Yeah, it's the lack of logs that's really getting me. I haven't created an explicit service account for it yet, will try giving it a service account and see if that was throwing it for a loop somehow. Ta for the pointer on default-features :)

[benjamin-wright]

Nope, explicit serviceaccount with explicit automountServiceAccountToken: true, same output 😞

[clux]

are you associating the deployment with the service account?
https://github.com/clux/kube-rs/blob/master/tests/deployment.yaml#L114

[benjamin-wright]

Yup:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: auth-controller
    app.kubernetes.io/managed-by: tilt
  name: auth-controller
  namespace: ponglehub
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: auth-controller
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: auth-controller
        app.kubernetes.io/managed-by: tilt
        tilt.dev/pod-template-hash: ad41af2b3e7eaa93efd5
    spec:
      containers:
      - image: auth-controller:tilt-20f9932817b95f85
        imagePullPolicy: IfNotPresent
        name: server
        resources:
          limits:
            cpu: 100m
            memory: 32Mi
          requests:
            cpu: 100m
            memory: 32Mi
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: auth-controller
      serviceAccountName: auth-controller
      terminationGracePeriodSeconds: 30

[benjamin-wright]

And k9s is saying that the service account tokens are mounted:
Mounts: /var/run/secrets/kubernetes.io/serviceaccount from auth-controller-token-wx5ll (ro)

[clux]

Ok, that should be fine then 🤔

I would try to use kubectl logs on the pod to get the full logs, tilt might be hiding the last error for you.
if this is all the code you use on k3s i could maybe try to reproduce it later.

[benjamin-wright]

Same from kubectl, last line is Getting kube config.... Is there a trick to turning on the trace! logs?

If you could try to replicate, that would be amazing! Code above is literally everything, I deleted everything extraneous I could find :)

[clux]

you can turn on traces by tuning an evar; RUST_LOG=info,kube=trace (if you are using env_logger). some examples show how to do this.

[benjamin-wright]

Thanks, am still getting my head round a lot of how rust works!

Turning on the trace gives no more info, which I guess means it's falling over somewhere before it gets to the error path 😞

If I get a chance I'll try pulling the kube-rs source and dropping some more traces in to see if I can pinpoint where it's coming unstuck

[nightkr]

What exit code and reason does kubectl describe pod show?

[nightkr]

FWIW it seems to run fine for me in K3d 0.8.0.6, but I couldn't get Tilt to cooperate.

[benjamin-wright]

Thanks @teozkr, that confirms that there's no reason it shouldn't work in principle.

    State:          Terminated
      Reason:       Error
      Exit Code:    139
      Started:      Fri, 23 Oct 2020 21:58:11 +0100
      Finished:     Fri, 23 Oct 2020 21:58:11 +0100
    Last State:     Terminated
      Reason:       Error
      Exit Code:    139
      Started:      Fri, 23 Oct 2020 21:57:57 +0100
      Finished:     Fri, 23 Oct 2020 21:57:57 +0100

I was on brew's k3d v3.0.1, and v3.1.5 is available now. Will try rolling the version tomorrow and see what happens... 🤞

FYI: On the tilt front, there's a script of theirs that got it working with k3d for me: https://github.com/tilt-dev/k3d-local-registry/

[nightkr]

139 indicates a segfault.. weird. What's your stack size inside the pod?

…

On Fri, 23 Oct 2020, 23:16 benjamin-wright, ***@***.***> wrote: Thanks @teozkr <https://github.com/teozkr>, that confirms that there's no reason it shouldn't work in principle. State: Terminated Reason: Error Exit Code: 139 Started: Fri, 23 Oct 2020 21:58:11 +0100 Finished: Fri, 23 Oct 2020 21:58:11 +0100 Last State: Terminated Reason: Error Exit Code: 139 Started: Fri, 23 Oct 2020 21:57:57 +0100 Finished: Fri, 23 Oct 2020 21:57:57 +0100 I was on brew's k3d v3.0.1, and v3.1.5 is available now. Will try rolling the version tomorrow and see what happens... 🤞 FYI: On the tilt front, there's a script of theirs that got it working with k3d for me: https://github.com/tilt-dev/k3d-local-registry/ — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#331 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAE6U2E6KEAEUUER7Q3U2QLSMHXBJANCNFSM4S4ICFWA> .

[benjamin-wright]

Found some more info from valgrind while trying to figure out how to get the stack size, it's a bit chonky but kinda interesting:

==124== Memcheck, a memory error detector
==124== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==124== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==124== Command: ./rust_binary
==124== 
==124== Conditional jump or move depends on uninitialised value(s)
==124==    at 0x4C90A5: strlen (in /rust_binary)
==124==    by 0x4C172C: setenv (in /rust_binary)
==124==    by 0x400AE9F: ???
==124==    by 0x400989F: ???
==124==    by 0x400AE9F: ???
==124==    by 0x8: ???
==124==    by 0x4D91C7: ??? (in /rust_binary)
==124==    by 0x4953B3: setenv (os.rs:560)
==124==    by 0x4953B3: std::env::_set_var (env.rs:322)
==124==    by 0x1AB6FC: std::env::set_var (in /rust_binary)
==124==    by 0x1AC1BB: auth_controller::main::{{closure}} (in /rust_binary)
==124==    by 0x1AB0F9: <core::future::from_generator::GenFuture<T> as core::future::future::Future>::poll (in /rust_binary)
==124==    by 0x1AAA51: tokio::runtime::enter::Enter::block_on::{{closure}} (in /rust_binary)
==124==  Uninitialised value was created
==124==    at 0x4CDB68: __expand_heap (in /rust_binary)
==124==    by 0x2: ???
==124==    by 0x67D457: ??? (in /rust_binary)
==124==    by 0x4C5F00: sched_yield (in /rust_binary)
==124==    by 0x1FFF000607: ???
==124== 
==124== Conditional jump or move depends on uninitialised value(s)
==124==    at 0x4C90A5: strlen (in /rust_binary)
==124==    by 0x495026: from_ptr (c_str.rs:1172)
==124==    by 0x495026: getenv (os.rs:548)
==124==    by 0x495026: std::env::_var_os (env.rs:241)
==124==    by 0x494E15: var_os<&std::ffi::os_str::OsStr> (env.rs:237)
==124==    by 0x494E15: std::env::_var (env.rs:209)
==124==    by 0x1C378F: std::env::var (in /rust_binary)
==124==    by 0x1B0A60: env_logger::Var::get (in /rust_binary)
==124==    by 0x1B096C: env_logger::Env::get_filter (in /rust_binary)
==124==    by 0x1AFCDE: env_logger::Builder::parse_env (in /rust_binary)
==124==    by 0x1AFC10: env_logger::Builder::from_env (in /rust_binary)
==124==    by 0x1B0CED: env_logger::try_init_from_env (in /rust_binary)
==124==    by 0x1B0C2C: env_logger::try_init (in /rust_binary)
==124==    by 0x1B0C59: env_logger::init (in /rust_binary)
==124==    by 0x1AC1C6: auth_controller::main::{{closure}} (in /rust_binary)
==124==  Uninitialised value was created
==124==    at 0x4CDB68: __expand_heap (in /rust_binary)
==124==    by 0x2: ???
==124==    by 0x67D457: ??? (in /rust_binary)
==124==    by 0x4C5F00: sched_yield (in /rust_binary)
==124==    by 0x1FFF000607: ???
==124== 
[2020-10-24T07:17:47Z INFO  auth_controller] Starting...
[2020-10-24T07:17:47Z INFO  auth_controller] An info message
[2020-10-24T07:17:47Z TRACE auth_controller] A trace message
[2020-10-24T07:17:47Z INFO  auth_controller] Getting kube configs...
==124== Conditional jump or move depends on uninitialised value(s)
==124==    at 0x4C2E55: calloc (in /rust_binary)
==124==    by 0x67D457: ??? (in /rust_binary)
==124==    by 0x1FFEFF248F: ???
==124==    by 0x1FFF000607: ???
==124==    by 0x39180B: alloc::alloc::alloc_zeroed (in /rust_binary)
==124==    by 0x39198E: alloc::alloc::Global::alloc_impl (in /rust_binary)
==124==    by 0x3921BD: <alloc::alloc::Global as core::alloc::AllocRef>::alloc_zeroed (in /rust_binary)
==124==    by 0x3861F5: alloc::raw_vec::RawVec<T,A>::allocate_in (in /rust_binary)
==124==    by 0x38C127: alloc::raw_vec::RawVec<T,A>::with_capacity_zeroed_in (in /rust_binary)
==124==    by 0x383779: alloc::raw_vec::RawVec<T>::with_capacity_zeroed (in /rust_binary)
==124==    by 0x2ED444: <T as alloc::vec::SpecFromElem>::from_elem (in /rust_binary)
==124==    by 0x2F31AD: alloc::vec::from_elem (in /rust_binary)
==124==  Uninitialised value was created by a stack allocation
==124==    at 0x3B0A4A: regex_syntax::ast::parse::ParserI<P>::parse_with_comments (in /rust_binary)
==124== 
==124== Jump to the invalid address stated on the next line
==124==    at 0x0: ???
==124==    by 0x27ACF1: openssl_sys::init::{{closure}} (in /rust_binary)
==124==    by 0x27AE16: std::sync::once::Once::call_once::{{closure}} (in /rust_binary)
==124==    by 0x49BF51: std::sync::once::Once::call_inner (once.rs:419)
==124==    by 0x27AD97: std::sync::once::Once::call_once (in /rust_binary)
==124==    by 0x27ACD0: openssl_sys::init (in /rust_binary)
==124==    by 0x27A333: openssl::x509::X509::from_pem (in /rust_binary)
==124==    by 0x1FA840: native_tls::imp::Certificate::from_pem (in /rust_binary)
==124==    by 0x1FADF1: native_tls::Certificate::from_pem (in /rust_binary)
==124==    by 0x1F51AB: reqwest::tls::Certificate::from_pem (in /rust_binary)
==124==    by 0x1E33A8: kube::config::incluster_config::load_cert::{{closure}} (in /rust_binary)
==124==    by 0x1D200D: core::iter::adapters::map_try_fold::{{closure}} (in /rust_binary)
==124==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==124== 
==124== 
==124== Process terminating with default action of signal 11 (SIGSEGV)
==124==  Bad permissions for mapped region at address 0x0
==124==    at 0x0: ???
==124==    by 0x27ACF1: openssl_sys::init::{{closure}} (in /rust_binary)
==124==    by 0x27AE16: std::sync::once::Once::call_once::{{closure}} (in /rust_binary)
==124==    by 0x49BF51: std::sync::once::Once::call_inner (once.rs:419)
==124==    by 0x27AD97: std::sync::once::Once::call_once (in /rust_binary)
==124==    by 0x27ACD0: openssl_sys::init (in /rust_binary)
==124==    by 0x27A333: openssl::x509::X509::from_pem (in /rust_binary)
==124==    by 0x1FA840: native_tls::imp::Certificate::from_pem (in /rust_binary)
==124==    by 0x1FADF1: native_tls::Certificate::from_pem (in /rust_binary)
==124==    by 0x1F51AB: reqwest::tls::Certificate::from_pem (in /rust_binary)
==124==    by 0x1E33A8: kube::config::incluster_config::load_cert::{{closure}} (in /rust_binary)
==124==    by 0x1D200D: core::iter::adapters::map_try_fold::{{closure}} (in /rust_binary)
==124== 
==124== HEAP SUMMARY:
==124==     in use at exit: 0 bytes in 0 blocks
==124==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
==124== 
==124== All heap blocks were freed -- no leaks are possible
==124== 
==124== For lists of detected and suppressed errors, rerun with: -s
==124== ERROR SUMMARY: 14 errors from 4 contexts (suppressed: 0 from 0)
Segmentation fault

Looks like something weird going on in openssl, will carry on digging but thought I'd post this up in-case it's obvious to someone!