nginx-ingress-controller - CrashLoopBackOff - kubernetes on proxmox (kvm)

SOLVEDI used DEBIAN10 (Buster) and arptables wasn't in the legacy mode.

Here is the solution:

sudo apt-get install -y iptables arptables ebtablesupdate-alternatives --set iptables /usr/sbin/iptables-nftupdate-alternatives --set ip6tables /usr/sbin/ip6tables-nftupdate-alternatives --set arptables /usr/sbin/arptables-nftupdate-alternatives --set ebtables /usr/sbin/ebtables-nft

See here:update-alternatives: error: alternative /usr/sbin/arptables-legacy for arptables not registered; not setting

I can't pin point exactly what is the issue but nginx ingress controller is in CrashLoopBackOff because it can not reach the Kubernetes API Server at https://10.96.0.1:443. Probably there is some network or connectivity issue between the nginx ingress controller pod and Kubernetes API Server.

Try to curl https://10.96.0.1:443 from another pod.

Speaking about certificate problem:

curl [10.96.0.1:443](https://10.96.0.1/) curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: [curl.haxx.se/docs/sslcerts.html](https://curl.haxx.se/docs/sslcerts.html) curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above

You have two options to get this to work:

1. Use cURL with -k option which allows curl to make insecure connections, that is cURL does not verify the certificate.

2. Add the root CA (the CA signing the server certificate) to /etc/ssl/certs/ca-certificates.crt

I think you should use option 2 as it's the option that ensures that you are connecting to secure FTP server.

Speaking about readiness and liveness probes failures:

When CPU is consumed in 100% on node, then nginx-ingress-controller immediatelly fail, because it doesn't have requests CPU so it answers too long for http://:.../healthz (1 sec if I remember).

You should have CPU requests for nginx-ingress-controller or never let pods in node to use 100% of CPU, which sounds impossible to control.

Also you can change flannel to calico.Remove flannel, installl calico with the following commands:

kubectl apply -f https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/hosted/etcd.yamlkubectl apply -f https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/rbac.yamlkubectl apply -f https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/hosted/calico.yaml

Take a look: limits-requests-nginx-ingress-controller, limit-range-pod, flannel-calico-nginx-ingress-controller, local-issuer.