Kubelet serving CSR never created

[lentzi90]

What happened?

We are seeing an issue occasionally where the kubelet never gets the server certificate (serverTLSBootstrap: true).
We have an auto-approver for the server certificates and detect this issue because we are waiting for the certificate to appear in /var/lib/kubelet/pki/kubelet-server-current.pem. When we hit it, not even the CSR is created.
It started happening after upgrading to v1.32 so we believe it could be from a change that was introduced in v1.32.
Restarting the kubelet does not help. It happily continues without the server certificate, even though it is configured to bootstrap it.

In healthy clusters, we see this:

$ kubectl get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                           REQUESTEDDURATION   CONDITION
csr-8dql4   29s   kubernetes.io/kubelet-serving                 system:node:lennart-kubelet-debug   <none>              Pending
csr-r8ztr   17s   kubernetes.io/kubelet-serving                 system:node:lennart-kubelet-debug   <none>              Pending
csr-xtwpf   30s   kubernetes.io/kube-apiserver-client-kubelet   system:node:lennart-kubelet-debug   <none>              Approved,Issued

In faulty clusters, there is just the client CSR.
We are not sure why two CSRs are created for the server either, but it works when we approve the newer of them.

Edit: The two server CSRs happen because kubeadm restarts the kubelet as part of initializing. This is how it picks up the client certificate. After the restart, the kubelet does not "remember" its old server CSR so it creates a new. This is not an issue.

Here is the kubelet config from an affected node: kubelet-config.txt

What did you expect to happen?

When configured, the kubelet should always create the server CSR.

How can we reproduce it (as minimally and precisely as possible)?

Unfortunately we do not have any guaranteed reproduction steps.
In general, this is what is needed to trigger the issue:

1. Kubelet is configured to rotate certificates (default) and to use server certificate.
2. Node status is stable, i.e. there are no changes of any kind that would cause the kubelet to update the status.
3. Kubelet is restarted and the server certificate does not exist (e.g. because it was removed or it wasn't issued yet).

In this specific case you should be able to see that the CSR is not created:

$ kubectl get csr
NAME        AGE   SIGNERNAME                                    REQUESTOR                           REQUESTEDDURATION   CONDITION
csr-2mq8h   22s   kubernetes.io/kube-apiserver-client-kubelet   system:node:lennart-kubelet-debug   <none>              Approved,Issued
$ kubectl get nodes
NAME                    STATUS   ROLES           AGE   VERSION
lennart-kubelet-debug   Ready    control-plane   28s   v1.32.1

Anything else we need to know?

I believe the culprit is #128640. Not the randomization of the interval, but the change in how the zero case for the lastStatusReportTime is handled.
It used to be treated as expired and trigger an update. After the PR it is treated the opposite.
This means that patchNodeStatus is never called and consequently neither is setLastObservedNodeAddresses.
The latter is initializing the kubelets internal node address state (not node status).
This internal state is what the server certificate manager is relying on to create the CSR. As long as it is nil, i.e. as long as the node status hasn't been patched, it cannot progress.

Kubernetes version

Details

$ kubectl version
Client Version: v1.32.1
Kustomize Version: v5.5.0
Server Version: v1.32.1

Cloud provider

Details

Happens both with and without external cloud provider

OS version

Details

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

Install tools

Details

Container runtime (CRI) and version (if applicable)

Details

Related plugins (CNI, CSI, ...) and versions (if applicable)

Details

[aojea]

@lentzi90 check if this is the problem #125813

naive question, what is the reason to have a node without valid IPs?

[lentzi90]

Thanks for the comment! I was looking at that PR already but it does not seem to be the issue we are hitting. We see this even when the node has a proper internal IP.
It does, however, explain why the attempt at reproducing it with the IPv6 loopback works.

[aojea]

looks like this #126441, you can try disabling the feature gate

[lentzi90]

Hmm that does indeed look interesting! I will check if there is something wrong with the node names

[BenTheElder]

/sig auth

[lentzi90]

Alright, I managed to hit the scenario described in #126441, but unfortunately it does not behave the same as the issue we are seeing.
What I did to trigger it was the following:

1. Set --hostname-override=not-correct-hostname in /etc/default/kubelet
2. Do NOT set nodeRegistration.name in the InitConfiguration (that would cause kubeadm to try to set the hostname override)
3. kubeadm init now fails and indeed no CSRs are created.

[kubelet-start] Starting the kubelet
[wait-control-plane] Waiting for the kubelet to boot up the control plane as static Pods from directory "/etc/kubernetes/manifests"
[kubelet-check] Waiting for a healthy kubelet at http://127.0.0.1:10248/healthz. This can take up to 4m0s
[kubelet-check] The kubelet is healthy after 501.78975ms
[api-check] Waiting for a healthy API server. This can take up to 4m0s
[api-check] The API server is healthy after 3.001123109s
[upload-config] Storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config" in namespace kube-system with the configuration for the kubelets in the cluster
error execution phase upload-config/kubelet: error writing CRISocket for this node: nodes "lennart-kubelet-debug" not found

When we hit the issue described, kubeadm init is actually successful and the client CSR is created. So unfortunately it does not seem to be #126441 that is the cause. The hunt continues...

[tuminoid]

This is reproducible maybe 5-10% of the cluster creations, so I don't think it is about wrong configuration or feature gates.

Minimal test environments seem never produce this same issue, the only reproductions we've found are when something goes wrong 100% of the time (like using the link-local ipv6 address. That breaking the node's addresses shouldn't happen either IMO, but maybe let's discuss that in another issue.)

Checking the changelog, most of the Kubelet and CSR related changes were done in 1.31 already, where no issues have been seen. That'd further exclude #126441 and #125813 IMO, but thanks @lentzi90 for verifying that with a test too.

Kubelet is not logging basically anything on any log level related to server certs is also making it hard to debug. The whole DynamicCertificateManager code is silent, and kubelet itself is also very silent on the very few lines it has related to certs. For client certs it at least says something, but server cert path is so silent.

One further finding related to CSRs are that in k8s 1.32, the second server CSR request comes 15 seconds later than the first. In 1.31 and older, they were only few seconds apart. This also happens on minimal kubeadm init based test env. I've also not found a reason why this is happening and if its somehow related or not.

It would also be interesting to understand why there is always 2 server CSRs and why the first one never means anything. The contents are basically the same, same requestor, same CSR input, ...