Symptoms
Running the command 'kubectl get nodes -o wide' shows that the current node is in a NotReady state:
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIMEvra.corp.local NotReady master 17h v1.14.6 192.68.3.4 <none> VMware Photon OS/Linux 4.9.214-1.ph2 docker://18.9.9
Running the command 'journalctl -u kubelet --since="30min"' shows errors similar to:
Jul 29 07:02:58 vra.corp.local kubelet[3461]: E0729 07:02:58.322582 3461 webhook.go:107] Failed to make webhook authenticator request: Post https://vra-k8s.local:6443/apis/authentication.k8s.io/v1beta1/tokenreviews: wri
Jul 29 07:02:58 vra.corp.local kubelet[3461]: E0729 07:02:58.322623 3461 server.go:245] Unable to authenticate the request due to an error: Post https://vra-k8s.local:6443/apis/authentication.k8s.io/v1beta1/tokenreviews
'vracli cluster exec -- bash -c 'current_node'' cannot complete successfully with authentication error:
executing bash on prelude-noop-extnet-ds-rnb9s failed: b'error: unable to upgrade connection: Authorization error (user=kube-apiserver-kubelet-client, verb=create, resource=nodes, subresource=proxy)\n'
Cause
Due to problems with automatic certificate renewal, the kubelet service may not be able to reach the Kubernetes API Server.
Resolution
This issue is resolved in vRealize Automation (vRA) 8.1 P3 and vRealize Orchestrator (vRO) 8.1 P3 or later.
Workaround
To workaround this issue, restart the kubelet service by performing the following:
Open a console or SSH terminal to the vRA or vRO node.Run the command: 'systemctl restart kubelet'After 5 minutes, run the command 'vracli cluster exec -- bash -c 'current_node'' command to confirm the results.
The host name of the current node should be printed successfully.
