CKA Practice Test - Install VPA (2025 Updates): Error getting Admission Controller status. Skipping eviction loop

rcambrj · June 4, 2025, 10:28am

Following the instructions in this lab:

kubectl apply -f /root/vpa-crds.yml
kubectl apply -f /root/vpa-rbac.yml
git clone https://github.com/kubernetes/autoscaler.git
cd autoscaler/vertical-pod-autoscaler
./hack/vpa-up.sh

…yields a broken vpa-admission-controller:

$ k -n kube-system get pod
NAME                                        READY   STATUS             RESTARTS        AGE
vpa-admission-controller-649657c55c-889sj   0/1     CrashLoopBackOff   6 (3m14s ago)   8m57s

…because:

$ k -n kube-system logs vpa-admission-controller-649657c55c-889sj
I0604 10:19:00.387208       1 flags.go:57] FLAG: --add-dir-header="false"
I0604 10:19:00.387307       1 flags.go:57] FLAG: --address=":8944"
I0604 10:19:00.387311       1 flags.go:57] FLAG: --alsologtostderr="false"
I0604 10:19:00.387314       1 flags.go:57] FLAG: --client-ca-file="/etc/tls-certs/caCert.pem"
I0604 10:19:00.387317       1 flags.go:57] FLAG: --feature-gates=""
I0604 10:19:00.387321       1 flags.go:57] FLAG: --ignored-vpa-object-namespaces=""
I0604 10:19:00.387323       1 flags.go:57] FLAG: --kube-api-burst="10"
I0604 10:19:00.387326       1 flags.go:57] FLAG: --kube-api-qps="5"
I0604 10:19:00.387329       1 flags.go:57] FLAG: --kubeconfig=""
I0604 10:19:00.387331       1 flags.go:57] FLAG: --log-backtrace-at=":0"
I0604 10:19:00.387335       1 flags.go:57] FLAG: --log-dir=""
I0604 10:19:00.387337       1 flags.go:57] FLAG: --log-file=""
I0604 10:19:00.387339       1 flags.go:57] FLAG: --log-file-max-size="1800"
I0604 10:19:00.387342       1 flags.go:57] FLAG: --logtostderr="true"
I0604 10:19:00.387344       1 flags.go:57] FLAG: --min-tls-version="tls1_2"
I0604 10:19:00.387347       1 flags.go:57] FLAG: --one-output="false"
I0604 10:19:00.387349       1 flags.go:57] FLAG: --port="8000"
I0604 10:19:00.387351       1 flags.go:57] FLAG: --profiling="false"
I0604 10:19:00.387353       1 flags.go:57] FLAG: --register-by-url="false"
I0604 10:19:00.387355       1 flags.go:57] FLAG: --register-webhook="true"
I0604 10:19:00.387358       1 flags.go:57] FLAG: --reload-cert="true"
I0604 10:19:00.387360       1 flags.go:57] FLAG: --skip-headers="false"
I0604 10:19:00.387362       1 flags.go:57] FLAG: --skip-log-headers="false"
I0604 10:19:00.387365       1 flags.go:57] FLAG: --stderrthreshold="0"
I0604 10:19:00.387376       1 flags.go:57] FLAG: --tls-cert-file="/etc/tls-certs/serverCert.pem"
I0604 10:19:00.387381       1 flags.go:57] FLAG: --tls-ciphers=""
I0604 10:19:00.387384       1 flags.go:57] FLAG: --tls-private-key="/etc/tls-certs/serverKey.pem"
I0604 10:19:00.387388       1 flags.go:57] FLAG: --v="4"
I0604 10:19:00.387392       1 flags.go:57] FLAG: --vmodule=""
I0604 10:19:00.387396       1 flags.go:57] FLAG: --vpa-object-namespace=""
I0604 10:19:00.387399       1 flags.go:57] FLAG: --webhook-address=""
I0604 10:19:00.387403       1 flags.go:57] FLAG: --webhook-failure-policy-fail="false"
I0604 10:19:00.387407       1 flags.go:57] FLAG: --webhook-labels=""
I0604 10:19:00.387410       1 flags.go:57] FLAG: --webhook-port=""
I0604 10:19:00.387414       1 flags.go:57] FLAG: --webhook-service="vpa-webhook"
I0604 10:19:00.387418       1 flags.go:57] FLAG: --webhook-timeout-seconds="30"
I0604 10:19:00.387443       1 main.go:88] "Starting Vertical Pod Autoscaler Admission Controller" version="1.4.1"
I0604 10:19:00.387857       1 envvar.go:172] "Feature gate default state" feature="InOrderInformers" enabled=true
I0604 10:19:00.387875       1 envvar.go:172] "Feature gate default state" feature="WatchListClient" enabled=false
I0604 10:19:00.387886       1 envvar.go:172] "Feature gate default state" feature="ClientsAllowCBOR" enabled=false
I0604 10:19:00.387891       1 envvar.go:172] "Feature gate default state" feature="ClientsPreferCBOR" enabled=false
I0604 10:19:00.387896       1 envvar.go:172] "Feature gate default state" feature="InformerResourceVersion" enabled=false
I0604 10:19:00.388134       1 reflector.go:357] "Starting reflector" type="*v1.VerticalPodAutoscaler" resyncPeriod="1h0m0s" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.388148       1 reflector.go:403] "Listing and watching" type="*v1.VerticalPodAutoscaler" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.397317       1 reflector.go:430] "Caches populated" type="*v1.VerticalPodAutoscaler" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.488770       1 api.go:106] "Initial VPA synced successfully"
I0604 10:19:00.489590       1 reflector.go:357] "Starting reflector" type="*v1.Job" resyncPeriod="10m0s" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.489609       1 reflector.go:403] "Listing and watching" type="*v1.Job" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.492184       1 reflector.go:430] "Caches populated" type="*v1.Job" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.590385       1 fetcher.go:103] "Initial sync completed" kind="Job"
I0604 10:19:00.590522       1 reflector.go:357] "Starting reflector" type="*v1.CronJob" resyncPeriod="10m0s" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.590540       1 reflector.go:403] "Listing and watching" type="*v1.CronJob" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.593130       1 reflector.go:430] "Caches populated" type="*v1.CronJob" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.691362       1 fetcher.go:103] "Initial sync completed" kind="CronJob"
I0604 10:19:00.691627       1 reflector.go:357] "Starting reflector" type="*v1.DaemonSet" resyncPeriod="10m0s" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.691649       1 reflector.go:403] "Listing and watching" type="*v1.DaemonSet" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.694565       1 reflector.go:430] "Caches populated" type="*v1.DaemonSet" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.791800       1 fetcher.go:103] "Initial sync completed" kind="DaemonSet"
I0604 10:19:00.791905       1 reflector.go:357] "Starting reflector" type="*v1.Deployment" resyncPeriod="10m0s" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.791918       1 reflector.go:403] "Listing and watching" type="*v1.Deployment" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.796667       1 reflector.go:430] "Caches populated" type="*v1.Deployment" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.892052       1 fetcher.go:103] "Initial sync completed" kind="Deployment"
I0604 10:19:00.892209       1 reflector.go:357] "Starting reflector" type="*v1.ReplicaSet" resyncPeriod="10m0s" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.892229       1 reflector.go:403] "Listing and watching" type="*v1.ReplicaSet" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.895072       1 reflector.go:430] "Caches populated" type="*v1.ReplicaSet" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.992412       1 fetcher.go:103] "Initial sync completed" kind="ReplicaSet"
I0604 10:19:00.992537       1 reflector.go:357] "Starting reflector" type="*v1.StatefulSet" resyncPeriod="10m0s" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.992549       1 reflector.go:403] "Listing and watching" type="*v1.StatefulSet" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:00.995015       1 reflector.go:430] "Caches populated" type="*v1.StatefulSet" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:01.092893       1 fetcher.go:103] "Initial sync completed" kind="StatefulSet"
I0604 10:19:01.093068       1 reflector.go:357] "Starting reflector" type="*v1.ReplicationController" resyncPeriod="10m0s" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:01.093096       1 reflector.go:403] "Listing and watching" type="*v1.ReplicationController" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:01.096091       1 reflector.go:430] "Caches populated" type="*v1.ReplicationController" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:01.193176       1 fetcher.go:103] "Initial sync completed" kind="ReplicationController"
I0604 10:19:01.193448       1 controller_fetcher.go:147] "Initial sync completed" kind="Deployment"
I0604 10:19:01.193474       1 controller_fetcher.go:147] "Initial sync completed" kind="ReplicaSet"
I0604 10:19:01.193483       1 controller_fetcher.go:147] "Initial sync completed" kind="StatefulSet"
I0604 10:19:01.193491       1 controller_fetcher.go:147] "Initial sync completed" kind="ReplicationController"
I0604 10:19:01.193499       1 controller_fetcher.go:147] "Initial sync completed" kind="Job"
I0604 10:19:01.193509       1 controller_fetcher.go:147] "Initial sync completed" kind="CronJob"
I0604 10:19:01.193516       1 controller_fetcher.go:147] "Initial sync completed" kind="DaemonSet"
I0604 10:19:01.193524       1 shared_informer.go:535] "Warning: the sharedIndexInformer has started, run more than once is not allowed"
I0604 10:19:01.193530       1 shared_informer.go:535] "Warning: the sharedIndexInformer has started, run more than once is not allowed"
I0604 10:19:01.193550       1 shared_informer.go:535] "Warning: the sharedIndexInformer has started, run more than once is not allowed"
I0604 10:19:01.193554       1 shared_informer.go:535] "Warning: the sharedIndexInformer has started, run more than once is not allowed"
I0604 10:19:01.193558       1 shared_informer.go:535] "Warning: the sharedIndexInformer has started, run more than once is not allowed"
I0604 10:19:01.193628       1 shared_informer.go:535] "Warning: the sharedIndexInformer has started, run more than once is not allowed"
I0604 10:19:01.193628       1 shared_informer.go:535] "Warning: the sharedIndexInformer has started, run more than once is not allowed"
I0604 10:19:01.193684       1 reflector.go:357] "Starting reflector" type="*v1.LimitRange" resyncPeriod="10m0s" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:01.193706       1 reflector.go:403] "Listing and watching" type="*v1.LimitRange" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
I0604 10:19:01.196342       1 reflector.go:430] "Caches populated" type="*v1.LimitRange" reflector="pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:285"
F0604 10:19:01.295051       1 config.go:83] no such file or directory

…which causes the vpa-updater to fail:

$ k -n kube-system logs vpa-updater-5849bc58f9-ghcdm
[...]
E0604 10:14:22.995773       1 updater.go:143] "Error getting Admission Controller status. Skipping eviction loop" err="leases.coordination.k8s.io \"vpa-admission-controller\" not found"

This doesn’t match the expected error in step 7/7:

pods_eviction_restriction.go:226] **too few replicas** for **ReplicaSet** default/**flask-app-b6c9c4f78**

Santosh_KodeKloud · June 4, 2025, 10:44am

Hi @rcambrj

This could happen due to issues with certificates for the Admission controller. If this occurs again, can you delete the secret in kube-system namespace named vpa-tls-certs and try running ./hack/vpa-up.sh again.

The scripts generates the certs and store them in the secret. If there is an issue with generation or creation of secret the Admission controller Pod will go in Crashloop.

rcambrj · June 4, 2025, 11:06am

That seems to have fixed the problem, thanks for the quick reply @Santosh_KodeKloud

the first time running vpa-up.sh I see:

Generating certs for the VPA Admission Controller in /tmp/vpa-certs.
Certificate request self-signature ok
subject=CN = vpa-webhook.kube-system.svc
Uploading certs to the cluster.
error: failed to create secret secrets "vpa-tls-certs" already exists

then after

kubectl -n kube-system delete secret vpa-tls-cert

I see:

Generating certs for the VPA Admission Controller in /tmp/vpa-certs.
Certificate request self-signature ok
subject=CN = vpa-webhook.kube-system.svc
Uploading certs to the cluster.
secret/vpa-tls-certs created
Deleting /tmp/vpa-certs.

Thanks again.