Controller pod never gets created

[jketcham]

Describe the bug
I have installed ConfigConnector into my GKE cluster using the 'add-on' through the gcloud console UI (following the instructions on this page), and for some reason, the controller pod is never created (nor its service account cnrm-controller-manager), and I'm not sure what the proper steps to debug this are. I noticed this problem in the first place because nothing I was configuring using ConfigConnector was actually getting applied/created.

When I run kubectl wait -n cnrm-system --for=condition=Ready pod --all to verify the installation (as described here), this is the output I get:

pod/cnrm-deletiondefender-0 condition met
pod/cnrm-resource-stats-recorder-5b6878c5fc-sdbtl condition met
pod/cnrm-webhook-manager-7db5549-45wpk condition met
pod/cnrm-webhook-manager-7db5549-nhdlt condition met

I do have PodSecurityPolicy implemented on this cluster and I have taken steps to make sure cnrm components can run, but I'm not sure if I may have missed something for the controller. Is there any way I can verify the PSP is not preventing the controller from creating? There is no indication that the controller is trying to be created but is failing some validation.

Workload Identity has been enabled on my node pool, Kubernetes Engine Monitoring is enabled as well, and I have created a service account with the proper roles and 'workload identity user' role for config connector to use.

ConfigConnector Version
1.27.1

Kuberenetes version
1.16.15-gke.4300

To Reproduce

1. Enable ConfigConnector via the GKE add-on
2. See that the controller pod never gets created

YAML snippets:

apiVersion: core.cnrm.cloud.google.com/v1beta1
kind: ConfigConnector
metadata:
  name: configconnector.core.cnrm.cloud.google.com
spec:
 mode: cluster
 googleServiceAccount: "config-connector@{my-project-id}.iam.gserviceaccount.com"

Any insight would be much appreciated! Thank you!

[jcanseco]

Hi @jketcham, thanks for the detailed info. I agree, that is quite strange.

Can you share with us the outputs of:

1. kubectl describe configconnector (to see the event history)
2. kubectl get configconnector -o yaml (to see the full resource state)
3. kubectl get -n configconnector-operator-system all (to see if the operator components are ok)
4. kubectl logs -f -n configconnector-operator-system configconnector-operator-0 (to see the operator's logs)

[jketcham]

Thanks for the quick response!

Sure enough, right away I see what the issue is. I'm using kustomize to manage the configs for my repo, and I forgot that I was adding a name prefix (cnrm-) to all of my config connector configs, including the ConfigConnector resource name, which caused the name to change from the required name (configconnector.core.cnrm.cloud.google.com). After changing my kustomize configs around to fix the name issue, everything is working as expected!

Just for reference, here is the outputs of those commands in case anyone is curious:

1. kubectl describe configconnector:

Name:         cnrm-configconnector.core.cnrm.cloud.google.com
Namespace:    
Labels:       aaa.cloud/region=us-central1
Annotations:  <none>
API Version:  core.cnrm.cloud.google.com/v1beta1
Kind:         ConfigConnector
Metadata:
  Creation Timestamp:  2020-12-13T20:29:54Z
  Generation:          2
  Resource Version:    1084846
  Self Link:           /apis/core.cnrm.cloud.google.com/v1beta1/configconnectors/cnrm-configconnector.core.cnrm.cloud.google.com
  UID:                 fd792ed3-bf15-44e0-80b6-4eff0c3ea227
Spec:
  Google Service Account:  [email protected]
  Mode:                    cluster
Status:
  Errors:
    error during reconciliation: the only allowed name for ConfigConnector object is 'configconnector.core.cnrm.cloud.google.com'. The name restriction is required to ensure that there is only one ConfigConnector instance in your cluster
  Healthy:  false
Events:     <none>


Name:         configconnector.core.cnrm.cloud.google.com
Namespace:    
Labels:       <none>
Annotations:  <none>
API Version:  core.cnrm.cloud.google.com/v1beta1
Kind:         ConfigConnector
Metadata:
  Creation Timestamp:  2020-12-23T23:55:17Z
  Finalizers:
    configconnector.cnrm.cloud.google.com/finalizer
  Generation:        3
  Resource Version:  6796543
  Self Link:         /apis/core.cnrm.cloud.google.com/v1beta1/configconnectors/configconnector.core.cnrm.cloud.google.com
  UID:               8d330be0-d0fb-4718-b381-b38c9802edb8
Spec:
  Mode:  namespaced
Status:
  Healthy:  true
Events:
  Type    Reason    Age                      From                        Message
  ----    ------    ----                     ----                        -------
  Normal  UpToDate  9m57s (x17844 over 13d)  configconnector-controller  ConfigConnector is up to date

2. kubectl get configconnector -o yaml:

apiVersion: v1
items:
- apiVersion: core.cnrm.cloud.google.com/v1beta1
  kind: ConfigConnector
  metadata:
    annotations:
      kubectl.kubernetes.io/last-applied-configuration: |
        {"apiVersion":"core.cnrm.cloud.google.com/v1beta1","kind":"ConfigConnector","metadata":{"annotations":{},"labels":{"aaa.cloud/region":"us-central1"},"name":"cnrm-configconnector.core.cnrm.cloud.google.com"},"spec":{"googleServiceAccount":"[email protected]","mode":"cluster"}}
    creationTimestamp: "2020-12-13T20:29:54Z"
    generation: 2
    labels:
      aaa.cloud/region: us-central1
    name: cnrm-configconnector.core.cnrm.cloud.google.com
    resourceVersion: "1084846"
    selfLink: /apis/core.cnrm.cloud.google.com/v1beta1/configconnectors/cnrm-configconnector.core.cnrm.cloud.google.com
    uid: fd792ed3-bf15-44e0-80b6-4eff0c3ea227
  spec:
    googleServiceAccount: [email protected]
    mode: cluster
  status:
    errors:
    - 'error during reconciliation: the only allowed name for ConfigConnector object
      is ''configconnector.core.cnrm.cloud.google.com''. The name restriction is required
      to ensure that there is only one ConfigConnector instance in your cluster'
    healthy: false
- apiVersion: core.cnrm.cloud.google.com/v1beta1
  kind: ConfigConnector
  metadata:
    creationTimestamp: "2020-12-23T23:55:17Z"
    finalizers:
    - configconnector.cnrm.cloud.google.com/finalizer
    generation: 3
    name: configconnector.core.cnrm.cloud.google.com
    resourceVersion: "6796543"
    selfLink: /apis/core.cnrm.cloud.google.com/v1beta1/configconnectors/configconnector.core.cnrm.cloud.google.com
    uid: 8d330be0-d0fb-4718-b381-b38c9802edb8
  spec:
    mode: namespaced
  status:
    healthy: true
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

3. kubectl get -n configconnector-operator-system all

NAME                             READY   STATUS    RESTARTS   AGE
pod/configconnector-operator-0   1/1     Running   0          13d

NAME                                       TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/configconnector-operator-service   ClusterIP   10.4.30.16   <none>        443/TCP   13d

NAME                                        READY   AGE
statefulset.apps/configconnector-operator   1/1     13d

After fixing the name, the status for the ConfigConnector resource is healthy:

Name:         configconnector.core.cnrm.cloud.google.com
Namespace:    
Labels:       aaa.cloud/region=us-central1
Annotations:  <none>
API Version:  core.cnrm.cloud.google.com/v1beta1
Kind:         ConfigConnector
Metadata:
  Creation Timestamp:  2020-12-23T23:55:17Z
  Finalizers:
    configconnector.cnrm.cloud.google.com/finalizer
  Generation:        4
  Resource Version:  14571840
  Self Link:         /apis/core.cnrm.cloud.google.com/v1beta1/configconnectors/configconnector.core.cnrm.cloud.google.com
  UID:               8d330be0-d0fb-4718-b381-b38c9802edb8
Spec:
  Google Service Account:  [email protected]
  Mode:                    cluster
Status:
  Healthy:  true
Events:
  Type    Reason    Age                      From                        Message
  ----    ------    ----                     ----                        -------
  Normal  UpToDate  4m43s (x17898 over 13d)  configconnector-controller  ConfigConnector is up to date

[jcanseco]

Great, thanks for sharing your findings with us @jketcham! I am glad to see that your issue has been resolved.

[shabbskagalwala]

Piggybacking on this issue but i am having the same issue
kubectl get -n configconnector-operator-system all

pod/configconnector-operator-0   1/1     Running   0          95m

NAME                                       TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)   AGE
service/configconnector-operator-service   ClusterIP   172.31.190.243   <none>        443/TCP   95m

NAME                                        READY   AGE
statefulset.apps/configconnector-operator   1/1     95m

kubectl describe configconnector

Name:         configconnector.core.cnrm.cloud.google.com
Namespace:
Labels:       <none>
Annotations:  <none>
API Version:  core.cnrm.cloud.google.com/v1beta1
Kind:         ConfigConnector
Metadata:
  Creation Timestamp:  2021-01-22T20:12:02Z
  Finalizers:
    configconnector.cnrm.cloud.google.com/finalizer
  Generation:        3
  Resource Version:  29786528
  Self Link:         /apis/core.cnrm.cloud.google.com/v1beta1/configconnectors/configconnector.core.cnrm.cloud.google.com
  UID:               60f30c61-3612-4896-a309-bcf3ad7d837a
Spec:
  Mode:  namespaced
Status:
  Healthy:  true
Events:
  Type    Reason    Age                  From                        Message
  ----    ------    ----                 ----                        -------
  Normal  UpToDate  96s (x226 over 97m)  configconnector-controller  ConfigConnector is up to date

kubectl get configconnector -o yaml

apiVersion: v1
items:
- apiVersion: core.cnrm.cloud.google.com/v1beta1
  kind: ConfigConnector
  metadata:
    creationTimestamp: "2021-01-22T20:12:02Z"
    finalizers:
    - configconnector.cnrm.cloud.google.com/finalizer
    generation: 3
    name: configconnector.core.cnrm.cloud.google.com
    resourceVersion: "29786528"
    selfLink: /apis/core.cnrm.cloud.google.com/v1beta1/configconnectors/configconnector.core.cnrm.cloud.google.com
    uid: 60f30c61-3612-4896-a309-bcf3ad7d837a
  spec:
    mode: namespaced
  status:
    healthy: true
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""

kubectl logs -f -n configconnector-operator-system configconnector-operator-0

2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"apiextensions.k8s.io","Kind":"CustomResourceDefinition","Name":"storagenotifications.storage.cnrm.cloud.google.com"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"apiextensions.k8s.io","Kind":"CustomResourceDefinition","Name":"storagetransferjobs.storagetransfer.cnrm.cloud.google.com"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"","Kind":"Namespace","Name":"cnrm-system"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"","Kind":"ServiceAccount","Name":"cnrm-deletiondefender"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"","Kind":"ServiceAccount","Name":"cnrm-resource-stats-recorder"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"","Kind":"ServiceAccount","Name":"cnrm-webhook-manager"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"Role","Name":"cnrm-deletiondefender-cnrm-system-role"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"Role","Name":"cnrm-webhook-cnrm-system-role"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"ClusterRole","Name":"cnrm-admin"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"ClusterRole","Name":"cnrm-deletiondefender-role"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"ClusterRole","Name":"cnrm-manager-cluster-role"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"ClusterRole","Name":"cnrm-manager-ns-role"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"ClusterRole","Name":"cnrm-recorder-role"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"ClusterRole","Name":"cnrm-webhook-role"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"RoleBinding","Name":"cnrm-deletiondefender-role-binding"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"RoleBinding","Name":"cnrm-webhook-role-binding"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"ClusterRoleBinding","Name":"cnrm-admin-binding"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"ClusterRoleBinding","Name":"cnrm-deletiondefender-binding"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"ClusterRoleBinding","Name":"cnrm-recorder-binding"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"rbac.authorization.k8s.io","Kind":"ClusterRoleBinding","Name":"cnrm-webhook-binding"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"","Kind":"Service","Name":"cnrm-deletiondefender"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.139Z	DEBUG	add labels to object	{"object": {"Group":"","Kind":"Service","Name":"cnrm-resource-stats-recorder-service"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.140Z	DEBUG	add labels to object	{"object": {"Group":"apps","Kind":"Deployment","Name":"cnrm-resource-stats-recorder"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.140Z	DEBUG	add labels to object	{"object": {"Group":"apps","Kind":"Deployment","Name":"cnrm-webhook-manager"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.140Z	DEBUG	add labels to object	{"object": {"Group":"apps","Kind":"StatefulSet","Name":"cnrm-deletiondefender"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.140Z	DEBUG	add labels to object	{"object": {"Group":"autoscaling","Kind":"HorizontalPodAutoscaler","Name":"cnrm-webhook"}, "labels": {"core.cnrm.cloud.google.com/configconnector":"configconnector.core.cnrm.cloud.google.com"}}
2021-01-22T21:50:46.140Z	INFO	built deployment objects	{"objects": "124"}
2021-01-22T21:50:46.140Z	INFO	injecting owner references	{"object": "configconnector.core.cnrm.cloud.google.com/"}
2021-01-22T21:50:46.160Z	INFO	applying manifest
2021-01-22T21:50:46.160Z	INFO	executing kubectl	{"command": "kubectl", "args": ["apply", "--validate=false", "--force", "-f", "-"]}
2021-01-22T21:50:48.942Z	DEBUG	controller-runtime.manager.events	Normal	{"object": {"kind":"ConfigConnector","name":"configconnector.core.cnrm.cloud.google.com","uid":"60f30c61-3612-4896-a309-bcf3ad7d837a","apiVersion":"core.cnrm.cloud.google.com/v1beta1","resourceVersion":"29786528"}, "reason": "UpToDate", "message": "ConfigConnector is up to date"}
2021-01-22T21:50:48.946Z	DEBUG	controller-runtime.controller	Successfully Reconciled	{"controller": "configconnector-controller", "request": "/configconnector.core.cnrm.cloud.google.com"}

But can't see the controller pod start up. I have the GKE_METADATA_SERVER enabled on node pools, workload_identity is enabled too.

Server Version: version.Info{Major:"1", Minor:"16+", GitVersion:"v1.16.15-gke.7800", GitCommit:"cef3156c566a1d1a4b23ee360a760f45bfbaaac1", GitTreeState:"clean", BuildDate:"2020-12-14T09:12:37Z", GoVersion:"go1.13.15b4", Compiler:"gc", Platform:"linux/amd64"}

[shabbskagalwala]

Adding additional information
kubectl get -n cnrm-system all

NAME                                               READY   STATUS    RESTARTS   AGE
pod/cnrm-deletiondefender-0                        1/1     Running   0          119m
pod/cnrm-resource-stats-recorder-8d4dd5f7c-z7xcw   2/2     Running   0          119m
pod/cnrm-webhook-manager-55df4988-b9w52            1/1     Running   0          118m
pod/cnrm-webhook-manager-55df4988-dl8fh            1/1     Running   0          119m

NAME                                           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
service/abandon-on-uninstall                   ClusterIP   172.31.191.149   <none>        443/TCP    119m
service/cnrm-deletiondefender                  ClusterIP   172.31.191.31    <none>        443/TCP    119m
service/cnrm-resource-stats-recorder-service   ClusterIP   172.31.186.65    <none>        8888/TCP   119m
service/cnrm-validating-webhook                ClusterIP   172.31.186.107   <none>        443/TCP    118m

NAME                                           READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/cnrm-resource-stats-recorder   1/1     1            1           119m
deployment.apps/cnrm-webhook-manager           2/2     2            2           119m

NAME                                                     DESIRED   CURRENT   READY   AGE
replicaset.apps/cnrm-resource-stats-recorder-8d4dd5f7c   1         1         1       119m
replicaset.apps/cnrm-webhook-manager-55df4988            2         2         2       119m

NAME                                     READY   AGE
statefulset.apps/cnrm-deletiondefender   1/1     119m

NAME                                               REFERENCE                         TARGETS           MINPODS   MAXPODS   REPLICAS   AGE
horizontalpodautoscaler.autoscaling/cnrm-webhook   Deployment/cnrm-webhook-manager   18%/40%, 3%/40%   2         10        2          119m

[shabbskagalwala]

For anyone else who comes across this similar issue - you need to manually create a ConfigConnectorContext using this config

apiVersion: core.cnrm.cloud.google.com/v1beta1
kind: ConfigConnectorContext
metadata:
  name: configconnectorcontext.core.cnrm.cloud.google.com
spec:
  googleServiceAccount: "<svc-account>@<project-id>.iam.gserviceaccount.com"

as soon as this is created the controller pod starts up in the cnrm-system namespace. The above hasn't been mentioned anywhere in the documentation and I found this mentioned in a comment on some other issue -
#278 (comment)

Also keep in mind the default add on is namespace scoped so all your config connector resources need to be created in the cnrm-system namespace

From the crd description
kubectl get crd configconnectors.core.cnrm.cloud.google.com -o yaml

The mode that Config Connector will run in. This can be either 'cluster' or 'namespaced'. The default is 'namespaced'. Cluster mode uses a single Google Service Account to create and manage resources, even if you are using Config Connector to manage multiple Projects. You must specify either `credentialSecretName` or `googleServiceAccount` when in cluster mode, but not both. Namespaced mode allows you to use different Google service accounts for different Projects. When in namespaced mode, you must create a ConfigConnectorContext object per namespace that you want to enable Config Connector in, and each must set `googleServiceAccount` to specify the Google Service Account to be used to authenticate with Google Cloud APIs for the namespace.

[jcanseco]

Hey @shabbir-taulia, apologies for the late response, and I apologize for the trouble you had to go through.

Yes I think there is an improvement we can make here to our installation docs to improve clarity.

For what it's worth, we do document the need for ConfigConnectorContext resources when installing KCC in namespaced-mode, but the basic installation doc don't mention them because it assumes a cluster-mode installation which is achieved by overriding the ConfigConnector configuration in this step -- I believe the improvement we can make is to emphasize that this step is critical even if users already see a ConfigConnector in their cluster, but please feel free to correct me if I'm wrong and if there is a better way to help avoid a similar confusion in the future.

[shabbskagalwala]

Hello @jcanseco
Thank you for the response. I think some improvements to the documentation might definitely help. The default installation of KCC via the GKE add-on is namespace scoped and that made it a bit difficult to debug as to why the controller wouldn't start up.

Maybe adding this step to the GKE add on installation might make it better to understand.

Again, thank you for the response and the awesome project, was indeed a good learning experience getting it all setup and working.