2022-04-04 11:22:00 +05:30
---
stage: Configure
group: Configure
2022-11-25 23:54:43 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
2022-04-04 11:22:00 +05:30
---
2022-05-07 20:08:51 +05:30
# Troubleshooting the GitLab agent for Kubernetes
2022-04-04 11:22:00 +05:30
2022-05-07 20:08:51 +05:30
When you are using the GitLab agent for Kubernetes, you might experience issues you need to troubleshoot.
2022-04-04 11:22:00 +05:30
You can start by viewing the service logs:
```shell
2022-07-16 23:28:13 +05:30
kubectl logs -f -l=app=gitlab-agent -n gitlab-agent
2022-04-04 11:22:00 +05:30
```
2022-05-07 20:08:51 +05:30
If you are a GitLab administrator, you can also view the [GitLab agent server logs ](../../../administration/clusters/kas.md#troubleshooting ).
2022-04-04 11:22:00 +05:30
## Transport: Error while dialing failed to WebSocket dial
```json
{
"level": "warn",
"time": "2020-11-04T10:14:39.368Z",
"msg": "GetConfiguration failed",
"error": "rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing failed to WebSocket dial: failed to send handshake request: Get \\\"https://gitlab-kas:443/-/kubernetes-agent\\\": dial tcp: lookup gitlab-kas on 10.60.0.10:53: no such host\""
}
```
2022-06-21 17:19:12 +05:30
This error occurs when there are connectivity issues between the `kas-address`
and your agent pod. To fix this issue, make sure the `kas-address` is accurate.
2022-04-04 11:22:00 +05:30
```json
{
"level": "error",
"time": "2021-06-25T21:15:45.335Z",
"msg": "Reverse tunnel",
"mod_name": "reverse_tunnel",
"error": "Connect(): rpc error: code = Unavailable desc = connection error: desc= \"transport: Error while dialing failed to WebSocket dial: expected handshake response status code 101 but got 301\""
}
```
2022-06-21 17:19:12 +05:30
This error occurs when the `kas-address` doesn't include a trailing slash. To fix this issue, make sure that the
`wss` or `ws` URL ends with a trailing slash, like `wss://GitLab.host.tld:443/-/kubernetes-agent/`
2022-04-04 11:22:00 +05:30
or `ws://GitLab.host.tld:80/-/kubernetes-agent/` .
## ValidationError(Deployment.metadata)
```json
{
"level": "info",
"time": "2020-10-30T08:56:54.329Z",
"msg": "Synced",
"project_id": "root/kas-manifest001",
"resource_key": "apps/Deployment/kas-test001/nginx-deployment",
"sync_result": "error validating data: [ValidationError(Deployment.metadata): unknown field \"replicas\" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta, ValidationError(Deployment.metadata): unknown field \"selector\" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta, ValidationError(Deployment.metadata): unknown field \"template\" in io.k8s.apimachinery.pkg.apis.meta.v1.ObjectMeta]"
}
```
2022-06-21 17:19:12 +05:30
This error occurs when a manifest file is malformed and Kubernetes can't
create the specified objects. Make sure that your manifest files are valid.
For additional troubleshooting, try to use the manifest files to create objects in Kubernetes directly.
2022-04-04 11:22:00 +05:30
## Error while dialing failed to WebSocket dial: failed to send handshake request
```json
{
"level": "warn",
"time": "2020-10-30T09:50:51.173Z",
"msg": "GetConfiguration failed",
"error": "rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing failed to WebSocket dial: failed to send handshake request: Get \\\"https://GitLabhost.tld:443/-/kubernetes-agent\\\": net/http: HTTP/1.x transport connection broken: malformed HTTP response \\\"\\\\x00\\\\x00\\\\x06\\\\x04\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x00\\\\x05\\\\x00\\\\x00@\\\\x00\\\"\""
}
```
2022-06-21 17:19:12 +05:30
This error occurs when you configured `wss` as `kas-address` on the agent side,
but the agent server is not available at `wss` . To fix this issue, make sure the
2022-04-04 11:22:00 +05:30
same schemes are configured on both sides.
## Decompressor is not installed for grpc-encoding
```json
{
"level": "warn",
"time": "2020-11-05T05:25:46.916Z",
"msg": "GetConfiguration.Recv failed",
"error": "rpc error: code = Unimplemented desc = grpc: Decompressor is not installed for grpc-encoding \"gzip\""
}
```
2022-06-21 17:19:12 +05:30
This error occurs when the version of the agent is newer that the version of the agent server (KAS).
To fix it, make sure that both `agentk` and the agent server are the same version.
2022-04-04 11:22:00 +05:30
## Certificate signed by unknown authority
```json
{
"level": "error",
"time": "2021-02-25T07:22:37.158Z",
"msg": "Reverse tunnel",
"mod_name": "reverse_tunnel",
"error": "Connect(): rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing failed to WebSocket dial: failed to send handshake request: Get \\\"https://GitLabhost.tld:443/-/kubernetes-agent/\\\": x509: certificate signed by unknown authority\""
}
```
2022-06-21 17:19:12 +05:30
This error occurs when your GitLab instance is using a certificate signed by an internal
certificate authority that is unknown to the agent.
To fix this issue, you can present the CA certificate file to the agent
by using a Kubernetes `configmap` and mount the file in the agent `/etc/ssl/certs` directory from where it
2022-04-04 11:22:00 +05:30
will be picked up automatically.
For example, if your internal CA certificate is `myCA.pem` :
```plaintext
2022-07-16 23:28:13 +05:30
kubectl -n gitlab-agent create configmap ca-pemstore --from-file=myCA.pem
2022-04-04 11:22:00 +05:30
```
Then in `resources.yml` :
```yaml
spec:
2022-07-16 23:28:13 +05:30
serviceAccountName: gitlab-agent
2022-04-04 11:22:00 +05:30
containers:
- name: agent
image: "registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:< version > "
args:
- --token-file=/config/token
- --kas-address
- wss://kas.host.tld:443 # replace this line with the line below if using Omnibus GitLab or GitLab.com.
# - wss://gitlab.host.tld:443/-/kubernetes-agent/
# - wss://kas.gitlab.com # for GitLab.com users, use this KAS.
# - grpc://host.docker.internal:8150 # use this attribute when connecting from Docker.
volumeMounts:
- name: token-volume
mountPath: /config
- name: ca-pemstore-volume
mountPath: /etc/ssl/certs/myCA.pem
subPath: myCA.pem
volumes:
- name: token-volume
secret:
2022-07-16 23:28:13 +05:30
secretName: gitlab-agent-token
2022-04-04 11:22:00 +05:30
- name: ca-pemstore-volume
configMap:
name: ca-pemstore
items:
- key: myCA.pem
path: myCA.pem
```
2022-06-21 17:19:12 +05:30
Alternatively, you can mount the certificate file at a different location and specify it for the
2022-04-04 11:22:00 +05:30
`--ca-cert-file` agent parameter:
```yaml
containers:
- name: agent
image: "registry.gitlab.com/gitlab-org/cluster-integration/gitlab-agent/agentk:< version > "
args:
- --ca-cert-file=/tmp/myCA.pem
- --token-file=/config/token
- --kas-address
- wss://kas.host.tld:443 # replace this line with the line below if using Omnibus GitLab or GitLab.com.
# - wss://gitlab.host.tld:443/-/kubernetes-agent/
# - wss://kas.gitlab.com # for GitLab.com users, use this KAS.
# - grpc://host.docker.internal:8150 # use this attribute when connecting from Docker.
volumeMounts:
- name: token-volume
mountPath: /config
- name: ca-pemstore-volume
mountPath: /tmp/myCA.pem
subPath: myCA.pem
```
## Project not found
```json
{
"level ":"error ",
"time ":"2022-01-05T15:18:11.331Z",
"msg ":"GetObjectsToSynchronize.Recv failed ",
"mod_name ":"gitops ",
"error ":"rpc error: code = NotFound desc = project not found ",
}
```
2022-06-21 17:19:12 +05:30
This error occurs when the project where you keep your manifests is not public. To fix it, make sure your project is public or your manifest files
are stored in the repository where the agent is configured.
2022-08-13 15:12:31 +05:30
## Failed to perform vulnerability scan on workload: jobs.batch already exists
```json
{
"level": "error",
"time": "2022-06-22T21:03:04.769Z",
"msg": "Failed to perform vulnerability scan on workload",
"mod_name": "starboard_vulnerability",
"error": "running scan job: creating job: jobs.batch \"scan-vulnerabilityreport-b8d497769\" already exists"
}
```
The GitLab agent performs vulnerability scans by creating a job to scan each workload. If a scan
is interrupted, these jobs may be left behind and will need to be cleaned up before more jobs can
be run. You can clean up these jobs by running:
```shell
kubectl delete jobs -l app.kubernetes.io/managed-by=starboard -n gitlab-agent
```
[We're working on making the cleanup of these jobs more robust. ](https://gitlab.com/gitlab-org/gitlab/-/issues/362016 )
2023-01-13 00:05:48 +05:30
## Inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)
```json
{
"error":"inventory policy prevented actuation (strategy: Apply, status: Empty, policy: MustMatch)",
"group":"networking.k8s.io",
"kind":"Deployment",
"name":"resource-name",
"namespace":"namespace",
"status":"Skipped",
"timestamp":"2022-10-29T15:34:21Z",
"type":"apply"
}
```
This error occurs when the GitLab agent tries to update an object and the object doesn't have the required annotations. To fix this error, you can:
- Add the required annotations manually.
- Delete the object and let the agent recreate it.
- Change your [`inventory_policy` ](../../infrastructure/clusters/deploy/inventory_object.md#inventory_policy-options ) setting.