Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Airgapped docs pods appear healthy but are inaccessible #92

Open
ethanchowell opened this issue May 5, 2023 · 0 comments
Open

Airgapped docs pods appear healthy but are inaccessible #92

ethanchowell opened this issue May 5, 2023 · 0 comments

Comments

@ethanchowell
Copy link

I've deployed the airgapped-docs chart to an RKE2 cluster that was not created by Rancher, but is managed by it. The pods appear to be healthy, and when I visit any of the links created for them, I see the following message

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "error trying to reach service: proxy error from 127.0.0.1:9345 while dialing 10.42.0.23:80, code 503: 503 Service Unavailable",
  "reason": "ServiceUnavailable",
  "code": 503
}

Looking at the pod logs, I see a constant stream of

nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)

There's only one pod with this error that doesn't report as healthy, and its the neuvector-offline-docs pod, which is in a CrashLoopBackoff because of the above error.

Some background on the cluster:

  • Cloud env: AWS
  • Version: v1.25.8+rke2r1
  • CIS profile: cis-1.23
  • Image registry: ECR (manually added imagePullSecrets to grab these images, quicker than rolling nodes)

I also had to manually update the carbide-docs-system namespace with the labels

pod-security.kubernetes.io/audit: baseline
pod-security.kubernetes.io/audit-version: latest
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: baseline
pod-security.kubernetes.io/warn-version: latest

Which is odd because I would've expected the deployment manifest to set the necessary security permissions if it's only serving docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant