calico-apiserver fails to start
This issue is seen in CI:
- example on a nightly run: https://gitlab.com/sylva-projects/sylva-core/-/jobs/12688171806
- example in an MR run: https://gitlab.com/sylva-projects/sylva-core/-/jobs/12686304459
calico-apiserver pods are failing to start, looping on:
time="2026-01-12T14:56:01Z" level=info msg="informer-sync check failed: readyz\n[-]informer-sync failed:
1 informers not started yet:
[*v1.ConfigMap]" klog-logger=tigera-apiserver
time="2026-01-12T14:56:19Z" level=error
msg="Failed to watch"
error="failed to list *v1.ConfigMap:
configmaps is forbidden:
User \"system:serviceaccount:calico-system:calico-apiserver\" cannot list resource \"configmaps\" in API group \"\" at the cluster scope"
klog-logger=tigera-apiserver
reflector="pkg/mod/k8s.io/client-go@v0.33.5/tools/cache/reflector.go:285" type="*v1.ConfigMap"The apiserver pod ServiceAccount is lacking a role/rolebinding that would let it read some ConfigMaps.
Note well: this happens on fresh installs (eg. https://gitlab.com/sylva-projects/sylva-core/-/jobs/12688212457) but without preventing the deployement to complete, because nothing waits for these pods to be up. However it prevents update-xxx-cluster jobs from completing because no calico-apiserver pods being up, the PDB can't be satisfied during a node rolling update and the symptom of this problem is a failure in cluster unit, such as:
╰┄╴Machine/sylva-system/mgmt-22584847.. Terminating Resource scheduled for deletion
├┄╴┬┄┄[Conditions]
┆ ├┄╴Ready False Draining Drain not completed yet (started at 2026-01-12T18:52:19Z):
┆ ┆ * Pod calico-system/calico-apiserver-5ff48b7d86-sk4v5: cannot evict pod as it would violate the pod's disruption budget. The disruption budget calico-apiserver needs 1 healthy pods and has 0 currently
...Edited by Thomas Morin