Excessive logging in cert-manager-webhook pod?

[bbzg]

Describe the bug:
cert-manager-webhook pod logs 10 lines every 5 seconds, and I don't understand why or what action I can take to fix it.

Expected behaviour:
Logs that are actionable, and that do not spam every 5 seconds

Steps to reproduce the bug:
Uninstalled cert-manager 0.2.5 and installed cert-manager 0.7, kept the old cert secret.

Anything else we need to know?:

Logs

[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.282389       1 request.go:942] Request Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/apis/admission.certmanager.k8s.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:generic-garbage-collector","group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"status":{"allowed":false}}
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.282532       1 round_trippers.go:419] curl -k -v -XPOST  -H "User-Agent: image.app_linux-amd64.binary/v0.0.0 (linux/amd64) kubernetes/$Format" -H "Accept: application/json, */*" -H "Authorization: Bearer <redacted>" -H "Content-Type: application/json" 'https://10.43.240.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews'
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.288776       1 round_trippers.go:438] POST https://10.43.240.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews 201 Created in 6 milliseconds
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.288815       1 round_trippers.go:444] Response Headers:
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.288832       1 round_trippers.go:447]     Audit-Id: 344d6760-7d49-4f76-a672-e5f928a816c5
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.288840       1 round_trippers.go:447]     Content-Type: application/json
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.288857       1 round_trippers.go:447]     Content-Length: 541
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.288933       1 round_trippers.go:447]     Date: Thu, 04 Apr 2019 17:41:14 GMT
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.289009       1 request.go:942] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/apis/admission.certmanager.k8s.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:generic-garbage-collector","group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}}
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.289187       1 handler.go:143] admission-server: GET "/apis/admission.certmanager.k8s.io/v1beta1" satisfied by gorestful with webservice /apis/admission.certmanager.k8s.io/v1beta1
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.289346       1 wrap.go:47] GET /apis/admission.certmanager.k8s.io/v1beta1?timeout=32s: (7.45329ms) 200 [kube-controller-manager/v1.11.7 (linux/amd64) kubernetes/06f08e6/system:serviceaccount:kube-system:generic-garbage-collector 10.40.11.1:53162]
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.506531       1 request.go:942] Request Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/","verb":"get"},"user":"system:anonymous","group":["system:unauthenticated"]},"status":{"allowed":false}}
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.506673       1 round_trippers.go:419] curl -k -v -XPOST  -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: image.app_linux-amd64.binary/v0.0.0 (linux/amd64) kubernetes/$Format" -H "Authorization: Bearer <redacted>" 'https://10.43.240.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews'
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.509166       1 round_trippers.go:438] POST https://10.43.240.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews 201 Created in 2 milliseconds
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.509201       1 round_trippers.go:444] Response Headers:
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.509215       1 round_trippers.go:447]     Audit-Id: 322feb6b-6045-406e-83ab-3088db76c107
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.509222       1 round_trippers.go:447]     Content-Type: application/json
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.509227       1 round_trippers.go:447]     Content-Length: 260
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.509233       1 round_trippers.go:447]     Date: Thu, 04 Apr 2019 17:41:14 GMT
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.509270       1 request.go:942] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/","verb":"get"},"user":"system:anonymous","group":["system:unauthenticated"]},"status":{"allowed":false}}
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.509379       1 authorization.go:73] Forbidden: "/", Reason: ""
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.509517       1 wrap.go:47] GET /: (3.233726ms) 403 [Go-http-client/2.0 10.40.11.1:53144]
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.953456       1 request.go:942] Request Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/apis/admission.certmanager.k8s.io/v1beta1","verb":"get"},"user":"system:kube-controller-manager","group":["system:authenticated"]},"status":{"allowed":false}}
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.953574       1 round_trippers.go:419] curl -k -v -XPOST  -H "User-Agent: image.app_linux-amd64.binary/v0.0.0 (linux/amd64) kubernetes/$Format" -H "Authorization: Bearer <redacted>" -H "Accept: application/json, */*" -H "Content-Type: application/json" 'https://10.43.240.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews'
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.955205       1 round_trippers.go:438] POST https://10.43.240.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews 201 Created in 1 milliseconds
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.955271       1 round_trippers.go:444] Response Headers:
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.955296       1 round_trippers.go:447]     Content-Length: 450
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.955305       1 round_trippers.go:447]     Date: Thu, 04 Apr 2019 17:41:14 GMT
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.955308       1 round_trippers.go:447]     Audit-Id: 6a2970a7-6c70-47c4-af28-52bb732cbc75
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.955314       1 round_trippers.go:447]     Content-Type: application/json
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.955344       1 request.go:942] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/apis/admission.certmanager.k8s.io/v1beta1","verb":"get"},"user":"system:kube-controller-manager","group":["system:authenticated"]},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}}
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.955438       1 handler.go:143] admission-server: GET "/apis/admission.certmanager.k8s.io/v1beta1" satisfied by gorestful with webservice /apis/admission.certmanager.k8s.io/v1beta1
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:14.955592       1 wrap.go:47] GET /apis/admission.certmanager.k8s.io/v1beta1?timeout=32s: (2.490715ms) 200 [kube-controller-manager/v1.11.7 (linux/amd64) kubernetes/06f08e6/controller-discovery 10.40.11.1:53162]
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:29.555587       1 request.go:942] Request Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/apis/admission.certmanager.k8s.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller","group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"status":{"allowed":false}}
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:29.555733       1 round_trippers.go:419] curl -k -v -XPOST  -H "Accept: application/json, */*" -H "Content-Type: application/json" -H "User-Agent: image.app_linux-amd64.binary/v0.0.0 (linux/amd64) kubernetes/$Format" -H "Authorization: Bearer <redacted>" 'https://10.43.240.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews'
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:29.563469       1 round_trippers.go:438] POST https://10.43.240.1:443/apis/authorization.k8s.io/v1beta1/subjectaccessreviews 201 Created in 7 milliseconds
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:29.563509       1 round_trippers.go:444] Response Headers:
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:29.563520       1 round_trippers.go:447]     Content-Type: application/json
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:29.563528       1 round_trippers.go:447]     Content-Length: 540
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:29.563540       1 round_trippers.go:447]     Date: Thu, 04 Apr 2019 17:41:29 GMT
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:29.563548       1 round_trippers.go:447]     Audit-Id: a3643fed-fa56-4fc4-ba94-35b4fa515daf
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:29.563603       1 request.go:942] Response Body: {"kind":"SubjectAccessReview","apiVersion":"authorization.k8s.io/v1beta1","metadata":{"creationTimestamp":null},"spec":{"nonResourceAttributes":{"path":"/apis/admission.certmanager.k8s.io/v1beta1","verb":"get"},"user":"system:serviceaccount:kube-system:resourcequota-controller","group":["system:serviceaccounts","system:serviceaccounts:kube-system","system:authenticated"]},"status":{"allowed":true,"reason":"RBAC: allowed by ClusterRoleBinding \"system:discovery\" of ClusterRole \"system:discovery\" to Group \"system:authenticated\""}}
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:29.563739       1 handler.go:143] admission-server: GET "/apis/admission.certmanager.k8s.io/v1beta1" satisfied by gorestful with webservice /apis/admission.certmanager.k8s.io/v1beta1
[cert-manager-webhook-86bc6ff498-rgmqx] I0404 17:41:29.563876       1 wrap.go:47] GET /apis/admission.certmanager.k8s.io/v1beta1?timeout=32s: (8.725156ms) 200 [kube-controller-manager/v1.11.7 (linux/amd64) kubernetes/06f08e6/system:serviceaccount:kube-system:resourcequota-controller 10.40.11.1:53162]

I would like to know if this is normal, or if there is something wrong with my deployment.

Thanks.

Environment details::

• Kubernetes version: 1.11.7
• Cloud-provider/provisioner: GKE
• cert-manager version: 0.7
• Install method: helm

/kind bug

[techmunk]

We're seeing the exact same logs on 0.7. Would be nice to reduce the noise.

[marc-barry]

We are also seeing the same. Some sources of the logs are:

• https://github.com/jetstack/cert-manager/blob/v0.7.0/vendor/k8s.io/client-go/transport/round_trippers.go#L419
• https://github.com/jetstack/cert-manager/blob/v0.7.0/vendor/k8s.io/client-go/transport/round_trippers.go#L438
• https://github.com/jetstack/cert-manager/blob/v0.7.0/vendor/k8s.io/client-go/transport/round_trippers.go#L447
• https://github.com/kubernetes/apiserver/blob/v0.7.0/pkg/server/filters/wrap.go#L47
• https://github.com/jetstack/cert-manager/blob/v0.7.0/vendor/k8s.io/apiserver/pkg/server/handler.go#L143
• https://github.com/jetstack/cert-manager/blob/v0.7.0/vendor/k8s.io/apiserver/pkg/server/mux/pathrecorder.go#L253

There are more sources than this but I wanted to provide some examples.

[marc-barry]

I think #1527 will address this issue.

[yehudamakarov]

I understand this is being addressed.
Are these logs because cert-manager is actually that busy?

I want to understand more about why. What is there to do besides refreshing the certificate when necessary?

Right now I'm deployed in GKE with cert-manager, and in the GCP dashboard for my project, i have TONS of activity. (Maybe this is because of the logs mentioned here.)

like:

• managed-certificate-controller written | Resource Name: core/v1/namespaces/kube-system/endpoints/managed-certificate-controller

• controller-leader-election-helper was updated | Resource Name: core/v1/namespaces/cert-manager/configmaps/controller-leader-election-helper

• gke-common-webhook-lock was updated Resource name: core/v1/namespaces/kube-system/configmaps/gke-common-webhook-lock

How can I learn more about what is going on and how cert-manager is running?

[tomko80]

We are experiencing this as well. This summer we are setting up a Kubernetes cluster on Azure (AKS) and running this just for a month now the costs of the collected log data is more than what the 3 VM's cost together! Sometimes there is tens of lines per second from the cert-manager-webhook:v0.7.0. Can this not be adjusted???

[jsha]

@munnerz can you collaborate with @yehudamakarov and @tomko80 to get logs? I think this may be one of the instances of cert-manager sending excessive traffic that we have been looking for.

[yehudamakarov]

What should I try to get exactly? I have the cluster in google kubernetes engine. Stackdriver has a lot of logs for many different things. Container logs from the cert-manager? Or are there other logs it’s influencing as well that I should look for. Yehuda Makarov

…

On Aug 1, 2019, 21:16 -0400, Jacob Hoffman-Andrews ***@***.***>, wrote: @munnerz can you collaborate with @yehudamakarov and @tomko80 to get logs? I think this may be one of the instances of cert-manager sending excessive traffic that we have been looking for. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[nicolaspascual]

Same here!! Any fix for this?

[gocreating]

Same issue.
I've uninstalled cert-manager totally. but I still get a lot of logging...

[chapa]

I recently upgrade cert-manager from 0.6 to 0.7, 0.7 to 0.8 and 0.8 to 0.9 and I noticed excessive logging stop from 0.8.

Not related to this I think, but I received an email from the Let's Encrypt team saying that they "plan to start blocking all traffic from cert-manager versions less than 0.8.0 (the current semver minor release), as of November 1, 2019", because "cert-manager sometimes falls into a traffic pattern where it sends really excessive traffic to Let's Encrypt's servers". So it may be worth to upgrade ;-)

Don't forget to read the doc if you plan to upgrade : https://cert-manager.readthedocs.io/en/latest/tasks/upgrading/index.html

[yehudamakarov]

Thanks for this info mate. Yehuda Makarov

…

On Aug 31, 2019, 08:05 -0400, Mickaël ***@***.***>, wrote: I recently upgrade cert-manager from 0.6 to 0.7, 0.7 to 0.8 and 0.8 to 0.9 and I noticed excessive logging stop from 0.8. Not related to this I think, but I received an email from the Let's Encrypt team saying that they "plan to start blocking all traffic from cert-manager versions less than 0.8.0 (the current semver minor release), as of November 1, 2019". So it may be worth to upgrade ;-) Don't forget to read the doc if you plan to upgrade : https://cert-manager.readthedocs.io/en/latest/tasks/upgrading/index.html — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[munnerz]

This was fixed in #1527 😄