-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Aporeto is throwing an error indicating a token is invalid. #633
Comments
Feb 11th: Worked with DXC to down the Aporeto enforcers. While down Karim did not see any errors in his Application(s) where they were unable to validate a JWT with SSO. |
Debugging this with Aporeto more today. We brought down Sysdig and this cleared up Karim's application errors (problem connecting to SSO to validate JWT) but the It appears that when either the Enforcers or Sysdig is disabled then the Application errors go away. Will work with William and Aporeto this afternoon to gather packet logs for a more in-depth analysis. |
We tracked this issue down to an overflow of iptable's The log message that indicates this type of problem (from an infra node):
The solution is the change both
|
Overview of the Issue and Suggested Solution In order to do this we had to split our enforcer daemonset into 2 daemonsets. Each daemonset was setup with the Deployment Lab/Prod Questions - Post Incident
Notes:
|
Two support cases opened with Aporeto: 246 - Improving the helm chart(s) to better allow for this change to be deployed. |
Blocked by #645. |
This issue appears to be intermittent on compute nodes (Ref. #devops-apoerto Feb 28). We had a conversation today where we decided to push ahead with the param changes on the infra nodes only and, if the same issue is confirmed on the infra nodes we'll look at also enabling the config on compute nodes. It looks like we have enough memory to accommodate this change. |
In various namespaces we see a rejected flow when the kublet tries to talk make a health check. The error message is: "token (The token was invalid.)". We though this might be related to deadlock in the enforcers but this issue was fixed by Aporeto in v.1.1015.10. After the update to v1.1015.10 we are still seeing the error message.
While not directly correlated by time, when this error message is present teams using Python/Flask often report that a connection fails between the API and SSO causing the SSO JWT to become invalid.
The text was updated successfully, but these errors were encountered: