SysctlForbidden for services following pod deletion

Aviatorpaal · June 21, 2023, 1:32am

Cluster information:

Kubernetes version:

Client Version: v1.25.3+k3s-9afcd6b9-dirty
Kustomize Version: v4.5.7
Server Version: v1.25.3+k3s-9afcd6b9-dirty

Cloud being used: Bare-metal
Installation method: Included with TrueNAS Scale
Host OS: Debian 11 (TrueNAS Scale 22.12.3)
Load balancer: SVCLB
CRI and version: “docker://Unknown”

Following deletion of a pod, the associated services fail to delete (as far as I understand), please see the following (abbreviated) outputs

k3s kubectl get pods -A
kube-system svclb-unifi-truecharts-guestportal-7e6ba1e7-l6hzl 0/2 SysctlForbidden 0 8m10s
kube-system svclb-unifi-truecharts-comm-ab39ece8-f84w9 0/1 SysctlForbidden 0 8m9s
kube-system svclb-unifi-truecharts-1cd9a1a9-4hxvg 0/1 SysctlForbidden 0 8m9s
kube-system svclb-unifi-truecharts-speedtest-0c138923-8v7t5 0/1 SysctlForbidden 0 8m8s
kube-system svclb-unifi-truecharts-stun-75de3720-jwsvt 0/1 SysctlForbidden 0 8m7s

k3s kubectl get svc -A
ix-unifi-truecharts unifi-truecharts-comm LoadBalancer 172.17.41.143 192.168.12.2 9080:53804/TCP 116d
ix-unifi-truecharts unifi-truecharts-guestportal LoadBalancer 172.17.248.197 192.168.12.2 9880:10663/TCP,9843:22164/TCP 116d
ix-unifi-truecharts unifi-truecharts LoadBalancer 172.17.71.219 192.168.12.2 9443:35886/TCP 116d
ix-unifi-truecharts unifi-truecharts-speedtest LoadBalancer 172.17.151.198 192.168.12.2 9789:44115/TCP 116d
ix-unifi-truecharts unifi-truecharts-stun LoadBalancer 172.17.175.87 192.168.12.2 9478:46340/UDP 116d

when “k3s kubectl get ns -A” does not show the pod.

Could someone please explain this to a home lab noob, trying to grasp the Kubernetes concepts? Thanks in advance

Aviatorpaal · June 21, 2023, 10:41pm

root@truenas[~]# k3s kubectl describe svc unifi-truecharts --namespace=ix-unifi-truecharts
Name: unifi-truecharts
Namespace: ix-unifi-truecharts
Labels: xyz=unifi-truecharts
xyz/managed-by=Helm
xyz/name=unifi
xyz/version=7.3.76
helm-revision=26
helm.sh/chart=unifi-13.0.10
Annotations: meta.helm.sh/release-name: unifi-truecharts
meta.helm.sh/release-namespace: ix-unifi-truecharts
metallb.universe.tf/allow-shared-ip: unifi-truecharts
traefik.ingress.kubernetes.io/service.serversscheme: https
Selector: app.kubernetes.io/instance=unifi-truecharts,app.kubernetes.io/name=unifi
Type: LoadBalancer
IP Family Policy: SingleStack
IP Families: IPv4
IP: 172.17.71.219
IPs: 172.17.71.219
LoadBalancer Ingress: 192.168.12.2
Port: main 9443/TCP
TargetPort: 8443/TCP
NodePort: main 35886/TCP
Endpoints:
Session Affinity: None
External Traffic Policy: Cluster
Events: