Issue: When working with Kubeadm cluster with Calico CNI plugin, the container fails to launch and if you describe the pod you may get the following error.
Warning FailedCreatePodSandBox 16m kubelet Failed to create pod sandbox: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_webserver-667ddc69b6-wq689_default_ffa6a237-7dc6-4bc4-9444-b0146a5b7f21_0(6dfe713911b0d60f98cf464a11928b041c885ff9dd3c59323ca5271be1df632b): error adding pod default_webserver-667ddc69b6-wq689 to CNI network "k8s-pod-network": plugin type="calico" failed (add): error getting ClusterInformation: connection is unauthorized: UnauthorizedSolution
This error can be rectified by restarting the Calico pods running in the kube-system namespace.
Get the labels of calico pods using the following command.
kubectl get pods -n kube-system --show-labelsFirst delete all the calico pods using the following command.
kubectl delete pods -n kube-system -l k8s-app=calico-nodeOnce the calico pods are restarted, you you shouldn’t see the error.
Root Cause
This error primary happens in kubeadm due to temporary glitches. Restarting the pods will clear all the temporary problems. At least it did in my case.
Another reason could be the race condition in Calico configurations. This also gets rectified with calico pod restarts.
If pod restart doest solve the issue, then you can check the folllwing.
- Network Policies Blocking Access: check if there is any network policy blocking calico access to other components.
- Incorrect Calico Configuration: A misconfiguration in calico could also lead to unauthorized errors. Check all the calico configurations.
