Error reference

Config Sync error messages consist of an error ID in the format KNV1234 where 1234 is a unique number, followed by a description of the problem and a suggestion for how to fix it. This topic documents each of those error messages.

KNV1000: InternalError

The ID of InternalError changed to KNV9998 with Config Sync 1.6.1.

KNV1001: ReservedDirectoryNameError

Deprecated in Config Sync 1.3.

KNV1002: DuplicateDirectoryNameError

Deprecated in Config Sync 1.3.

KNV1003: IllegalNamespaceSubdirectoryError

When using the default repo structure, a directory that contains a namespace config must not contain any subdirectories.

A directory without a namespace config is an abstract namespace directory and has directories inheriting from it, and consequently must have subdirectories. A directory containing a namespace config is a namespace directory and cannot be inherited from, so it must not have any subdirectories.

To fix, either remove the namespace config from the parent directory, or move the subdirectory somewhere else.

This can happen if a directory containing a namespace has a subdirectory.

namespaces/
└── prod/
    ├── namespace.yaml
    └── us_west_1/

# namespaces/prod/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: prod

That directory structure and the contents of namespace.yaml produce this error:

KNV1003: A Namespace directory MUST NOT have subdirectories. Remove the
         Namespace policy from "prod", or move "us_west_1" to an Abstract
         Namespace:

path: namespaces/prod/us_west_1
name: us_west_1

KNV1004: IllegalSelectorAnnotationError

A cluster-scoped object must not declare the annotation configmanagement.gke.io/namespace-selector. NamespaceSelectors can only be declared for namespace scoped objects.

To fix the error, remove configmanagement.gke.io/namespace-selector from the metadata.annotations field.

The following ClusterRole config produces this error:

# cluster/namespace-reader-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: namespace-reader
  annotations: {
    "configmanagement.gke.io/namespace-selector" : "shipping-dev",
  }
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "watch"]

If you attempt to include this in your cluster, nomos vet returns the following error:

KNV1004: Cluster-scoped objects may not be namespace-selected, and so MUST NOT declare the annotation 'configmanagement.gke.io/namespace-selector'. To fix, remove `metadata.annotations.configmanagement.gke.io/namespace-selector` from:
source: cluster/namespace-reader-clusterrole.yaml
metadata.name: namespace-reader
group: rbac.authorization.k8s.io
version: v1
kind: ClusterRole

A Cluster object must not declare the annotation configmanagement.gke.io/cluster-selector. To fix the error, remove configmanagement.gke.io/cluster-selector from metadata.annotations.

If a Cluster object declares configmanagement.gke.io/cluster-selector, nomos vet returns the following error:

KNV1004: Clusters may not be cluster-selected, and so MUST NOT declare the annotation 'configmanagement.gke.io/cluster-selector'. To fix, remove `metadata.annotations.configmanagement.gke.io/cluster-selector` from:

source: clusterregistry/cluster.yaml
metadata.name: default-name
group: clusterregistry.k8s.io
version: v1alpha1
kind: Cluster

KNV1005: IllegalManagementAnnotationError

The only valid setting for the management annotation is configmanagement.gke.io/managed=disabled. This setting is used to explicitly unmanage a resource in the Git repository while leaving the config checked in. The annotation configmanagement.gke.io/managed=enabled is not necessary. For more information, see Managing objects.

Setting a different annotation will result in an error like the following:

KNV1005: Config has invalid management annotation configmanagement.gke.io/managed=invalid. If set, the value must be "disabled".

source: namespaces/foo/role.yaml
metadata.name: default-name
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV1006: ObjectParseError

This error occurs when an object declared in the repository could not be parsed. To fix, validate your yaml format with a tool such as kubectl --validate.

Example:

KNV1006: The following config could not be parsed as a rbac.authorization.k8s.io/v1, Kind=Role:

source: namespaces/foo/role.yaml
metadata.name: default-name
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV1007: IllegalAbstractNamespaceObjectKindError

When using an unstructured repo, configs must not be declared in an abstract namespace directory. For more information about using unstructured repos, see Using an unstructured repo.

KNV1007: Config "default-name" illegally declared in an abstract namespace directory. Move this config to a namespace directory:

source: namespaces/foo/bar/role.yaml
metadata.name: default-name
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV1009: IllegalMetadataNamespaceDeclarationError

When using the default repo structure, configs either declare namespace which match the namespace directory containing them or omit the field.

The following is an example of a Role config that triggers the error:

# namespaces/shipping-prod/pod-reader-role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: pod-reader
  namespace: shipping-dev
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "watch", "list"]

If you declare a config with such a namespace, this error occurs:

KNV1009: A config MUST either declare a `namespace` field exactly matching the directory containing the config, "shipping-prod", or leave the field blank:

source: namespaces/shipping-prod/pod-reader-role.yaml
namespace: shipping-dev
metadata.name: pod-reader
group: rbac.authorization.k8s.io
version: v1
kind: Role

For more information about the default repo structure, see Structure of the repo.

KNV1010: IllegalAnnotationDefinitionError

Configs must not declare unsupported annotations starting with configmanagement.gke.io.

Supported annotations are:

  • configmanagement.gke.io/managed: For more information about use, see Managing objects.

  • configmanagement.gke.io/namespace-selector: For more information about use, see Namespace-scoped objects.

  • configmanagement.gke.io/cluster-selector: For more information about use, see ClusterSelectors.

Example error:

KNV1010: Configs MUST NOT declare unsupported annotations starting with
         "configmanagement.gke.io/". The config has invalid annotations:
         "configmanagement.gke.io/invalid", "configmanagement.gke.io/sync-token"

source: namespaces/foo/role.yaml
metadata.name: role
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV1011: IllegalLabelDefinition

Configs must not have labels with keys that begin with configmanagement.gke.io/. This label key prefix is reserved for use by Config Sync.

The following is an example of a ConfigMap that triggers this error:

# namespaces/prod/mymap.yaml
kind: ConfigMap
apiVersion: v1
metadata:
  name: my-map
  labels:
    configmanagement.gke.io/bad-label: label-value
data:
  mydata: moredata

If you declare a config with such a label, this error occurs:

KNV1011: Configs MUST NOT declare labels starting with "configmanagement.gke.io/". The config has disallowed labels: "configmanagement.gke.io/bad-label"

source: namespaces/prod/mymap.yaml
metadata.name: my-map
group:
version: v1
kind: ConfigMap

KNV1012: NamespaceSelectorMayNotHaveAnnotation

Deprecated in Config Sync 1.3.

KNV1013: ObjectHasUnknownSelector

The config refers to a ClusterSelector or NamespaceSelector that does not exist. Before you can use a selector in an annotation for a config, the selector must exist.

If the selector is removed, remove any configs that refer to it as well. In this example, assume that there is no unknown-cluster-selector ClusterSelector in the clusterregistry/ directory of the repo.

# namespaces/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: foo
  annotations:
    configmanagement.gke.io/cluster-selector: unknown-cluster-selector

That causes this error:

KNV1013: Config "foo" MUST refer to an existing ClusterSelector, but has
         annotation
         “configmanagement.gke.io/cluster-selector=unknown-cluster-selector",
         which maps to no declared ClusterSelector

NamespaceSelector annotations have the additional requirement that the referenced NamespaceSelector be defined in either the same directory or a parent directory of the config reference. Failure to do so will result in this error:

KNV1013: Config "default-name" MUST refer to a NamespaceSelector in its directory or a parent directory. Either remove the annotation "configmanagement.gke.io/namespace-selector=default-ns-selector" from "default-name" or move NamespaceSelector "default-ns-selector" to a parent directory of "default-name".

    source: namespaces/bar/selector.yaml
    metadata.name: default-ns-selector
    group: configmanagement.gke.io
    version: v1
    kind: NamespaceSelector

    source: namespaces/foo/role.yaml
    metadata.name: default-name
    group: rbac.authorization.k8s.io
    version: v1
    kind: Role

KNV1014: InvalidSelectorError

ClusterSelector and NamespaceSelector configs use correct syntax, but a syntax error was found. To fix, ensure that you specify the config according to the appropriate data schema:

For example, this invalid ClusterSelector:

kind: ClusterSelector
apiVersion: configmanagement.gke.io/v1
metadata:
  name: selector-1
spec:
  selector:
    someUnknownField:  # This field is not defined for a LabelSelector
      foo: bar

Causes the following error:

KNV1014: ClusterSelector has validation errors that must be corrected: invalid field "someUnknownField"
    source: clusterregistry/cs.yaml
    metadata.name: selector-1
    group: configmanagement.gke.io
    version: v1
    kind: ClusterSelector

In particular, ClusterSelector and NamespaceSelector definitions define the spec.selector field. Failure to do so will cause the following error:

   KNV1014: NamespaceSelectors MUST define `spec.selector`

    source: namespaces/ns.yaml
    metadata.name: ns-selector-1
    group: configmanagement.gke.io
    version: v1
    kind: NamespaceSelector

KNV1016: PolicyManagementNotInstalledError

Deprecated in Config Sync 1.3.2.

KNV1017: MissingRepoError

When using the default repo structure, a Repo config must exist in the system/ directory of the repo and must include required information such as the repo's semantic version.

If a Repo config doesn't exist, the following error occurs:

KNV1017: The system/ directory must declare a Repo Resource.
path: system/

To fix, define at least a minimal Repo config.

# system/repo.yaml
kind: Repo
apiVersion: configmanagement.gke.io/v1
metadata:
  name: repo
spec:
  version: "0.1.0"

For more information about the default repo structure, see Structure of the repo.

KNV1018: IllegalSubdirectoryError

Deprecated in Config Sync 1.3.

KNV1019: IllegalTopLevelNamespaceError

When using the default repo structure, Namespaces must not be declared directly in namespaces/.

The following is a config that triggers the error:

# namespaces/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: namespaces
source: namespaces/namespace.yaml
metadata.name: namespaces
group:
version: v1
kind: Namespace

   KNV1019: Namespaces MUST be declared in subdirectories of 'namespaces/'. Create a subdirectory for the following Namespace configs:

    source: namespaces/namespace.yaml
    metadata.name: namespaces
    group:
    version: v1
    kind: Namespace

For more information about the default repo structure, see Structure of the repo.

KNV1020: InvalidNamespaceNameError

When using the default repo structure, a namespace config declare metadata.name, and its value must match the name of the namespace's directory. To fix, correct the namespace's metadata.name or its directory.

The following is a config that triggers the error:

# namespaces/prod/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: dev

KNV1020: A Namespace MUST declare `metadata.name` that matches the name of its
         directory.

expected `metadata.name`: prod

source: namespaces/prod/namespace.yaml
metadata.name: dev
group:
version: v1
kind: Namespace

For more information about the default repo structure, see Structure of the repo.

KNV1021: UnknownObjectError

KNV1021: No CustomResourceDefinition is defined for the resource in the cluster.
         Resource types that are not native Kubernetes objects must have a
         CustomResourceDefinition.

source: namespaces/foo/role.yaml
metadata.name: role
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV1024: IllegalKindInSystemError

KNV1024: Configs of this Kind may not be declared in the `system/` directory of
         the repo:

source: namespaces/foo/role.yaml
metadata.name: role
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV1027: UnsupportedRepoSpecVersion

The spec.version field in the Repo config represents the semantic version of the repo. This error indicates that you are using an unsupported version.

If your repo's format is compatible with the supported version, update the spec.version field.

If you need to upgrade, follow the instructions in the release notes.

# system/repo.yaml
kind: Repo
apiVersion: configmanagement.gke.io/v1
metadata:
  name: repo
spec:
  version: "0.0.0"

That produces this error:

KNV1027: Unsupported Repo spec.version: "0.0.0". Must use version "1.0.0"

source: system/repo.yaml
name: repo
group: configmanagement.gke.io
version: v1
kind: Repo

KNV1028: InvalidDirectoryNameError

KNV1028: Directory names have fewer than 64 characters, consist of lower case
         alphanumeric characters or '-', and must start and end with an
         alphanumeric character. Rename or remove directory:

path: namespaces/a.b`c
name: a.b`c

KNV1029: MetadataNameCollisionError

KNV1029: Configs of the same Kind MUST have unique names in the same Namespace
         and their parent abstract namespaces:

source: namespaces/foo/r1.yaml
metadata.name: role
group: rbac.authorization.k8s.io
version: v1
kind: Role

source: namespaces/foo/r2.yaml
metadata.name: role
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV1030: MultipleSingletonsError

KNV1030: Multiple Namespace resources cannot exist in the same directory. To fix, remove the duplicate config(s) such that no more than 1 remains:

source: namespaces/foo/namespace.yaml
metadata.name: foo
group:
version: v1
kind: Namespace

source: namespaces/foo/namespace.yaml
metadata.name: foo
group:
version: v1
kind: Namespace

KNV1031: MissingObjectNameError

All configs must declare metadata.name. To fix, add the metadata.name field to the problematic configs.

KNV1031: A config must declare metadata.name:

source: namespaces/foo/role.yaml
metadata.name:
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV1032: IllegalHierarchicalKindErrorCode

KNV1032: The type Repo.configmanagement.gke.io is not allowed if `sourceFormat` is set to `unstructured`. To fix, remove the problematic config, or convert your repo to use `sourceFormat: hierarchy`.

source: system/repo.yaml
metadata.name: repo
group: configmanagement.gke.io
version: v1
kind: Repo

KNV1033: IllegalSystemResourcePlacementError

Some Kinds can only be declared inside the system/ directory. The following is a list of Kinds that can exist exclusively in the system/ directory: - HierarchyConfig - Repo

KNV1033: A config of the below Kind MUST NOT be declared outside system/:

source: namespaces/foo/repo.yaml
metadata.name: repo
group: configmanagement.gke.io
version: v1
kind: Repo

KNV1034: IllegalNamespaceError

It is forbidden to declare the config-management-system namespace, or resources within it. To fix, remove the config-management-system namespace and any configs in that namespace.

KNV1034: Configs must not be declared in the "config-management-system" namespace

source: namespaces/config-management-system/role.yaml
namespace: namespaces/config-management-system
metadata.name: default-name
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV1034: The "config-management-system" namespace must not be declared

source: namespaces/config-management-system/namespace.yaml
metadata.name: config-management-system
group:
version: v1
kind: Namespace

KNV1036: InvalidMetadataNameError

The metadata.name supplied is of invalid format. A valid metadata.name must: - Be shorter than 254 characters. - Consist of lower case alphanumeric characters, ‘-’, or ‘.’. - Start and end with an alphanumeric character.

To fix, change the metadata.name to satisfy the above.

KNV1036: Configs MUST define a metadata.name that is shorter than 254
        characters, consists of lower case alphanumeric characters, '-' or '.',
         and must start and end with an alphanumeric character. Rename or remove
         the config:

source: namespaces/foo/role.yaml
metadata.name: a`b.c
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV1037: IllegalKindInClusterregistryError

Deprecated in Config Sync 1.3.

KNV1038: IllegalKindInNamespacesError

KNV1038: Configs of the below Kind may not be declared in `namespaces/`:

source: cluster/cr.yaml
metadata.name: role
group: rbac.authorization.k8s.io
version: v1
kind: ClusterRole

KNV1039: IllegalKindInClusterError

It is forbidden to declare a namespace-scoped object outside of namespaces/ or a cluster-scoped object outside of cluster/. To fix, relocate the problematic configs such that they are in a legal directory.

For more information about cluster-scoped objects, see Cluster-scoped objects.

For more information about namespace-scoped objects, see Namespace-scoped objects.

KNV1039: Namespace-scoped configs of the below Kind must not be declared in
         cluster/:

source: namespaces/foo/role.yaml
metadata.name: role
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV1040: UnknownResourceInHierarchyConfigError

Deprecated in Config Sync 1.3.

KNV1041: UnsupportedResourceInHierarchyConfigError

KNV1041: This Resource Kind MUST NOT be declared in a HierarchyConfig:

source: system/hc.yaml
group: configmanagement.gke.io
kind: Repo

KNV1042: IllegalHierarchyModeError

An illegal value for HierarchyMode was detected on a HierarchyConfig. HierarchyMode must be either none or inherit.

To read more about HierarchyConfigs see Disabling Inheritance for an Object Type.

KNV1042: HierarchyMode invalid is not a valid value for the APIResource Role.rbac.authorization.k8s.io. Allowed values are [none,inherit].

source: system/hc.yaml
metadata.name: default-name
group: configmanagement.gke.io
version: v1
kind: HierarchyConfig

KNV1043: UnsupportedObjectError

KNV1043: Config Sync cannot configure this object. To fix, remove this
         config from the repo.

source: namespaces/foo/role.yaml
metadata.name: role
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV1044: UnsyncableResourcesErrorCode

KNV1044: An Abstract Namespace directory with configs MUST have at least one
Namespace subdirectory. To fix, do one of the following: add a Namespace
directory below "bar", add a Namespace config to "bar", or remove the configs in
"bar":

path: namespaces/foo/bar/

KNV1045: IllegalFieldsInConfigError

KNV1045: Configs with "metadata.ownerReference" specified are not allowed. To
fix, either remove the config or remove the "metadata.ownerReference" field in
the config:

source: namespaces/foo/replicaset.yaml
metadata.name: replicaSet
group: apps
version: v1
kind: ReplicaSet

KNV1046: ClusterScopedResourceInHierarchyConfigError

KNV1046: This HierarchyConfig references the APIResource "ClusterSelector.configmanagement.gke.io" which has cluster scope. Cluster scoped objects are not permitted in HierarchyConfig.

source: system/hc.yaml
metadata.name: hierarchyconfig
group: configmanagement.gke.io
version: v1
kind: HierarchyConfig

KNV1047: UnsupportedCRDRemovalError

KNV1047: Removing a CRD and leaving the corresponding Custom Resources in the
repo is disallowed. To fix, remove the CRD along with the Custom Resources.

source: cluster/crd.yaml
metadata.name: customResourceDefinition
group: apiextensions.k8s.io
version: v1beta1
kind: CustomResourceDefinition

KNV1048: InvalidCRDNameError

KNV1048: The CustomResourceDefinition has an invalid name. To fix, change the
name to `spec.names.plural+"."+spec.group`.

source: cluster/crd.yaml
metadata.name: customResourceDefinition
group: apiextensions.k8s.io
version: v1beta1
kind: CustomResourceDefinition

KNV1050: DeprecatedGroupKindError

KNV1050: The config is using a deprecated Group and Kind. To fix, set the Group and Kind to "Deployment.apps"

source: namespaces/deployment.yaml
metadata.name: default-name
group: extensions
version: v1beta1
kind: Deployment

KNV 1058: BadScopeError

A Namespace repository can only declare namespace-scoped resources in the Namespace the repo applies to. For example, the repository for the shipping Namespace repo may only manage resources in the shipping namespace.

The value of metadata.namespace is optional. By default Config Sync assumes that all resources in a Namespace repository belong in that Namespace.

For example, if a config in the shipping Namespace repo declared metadata.namespace: billing, the nomos command prints the following error.

KNV1058: Resources in the "shipping" repo must either omit metadata.namespace or declare metadata.namespace="shipping"

namespace: billing
metadata.name: default-name
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV 1059: MultipleKptfilesError

A Namespace repository can declare at most one Kptfile resource.

For example, if a Namespace repository declared two Kptfiles, the nomos command prints the following error:

KNV1059: Namespace Repos may contain at most one Kptfile

metadata.name: package-a
group: kpt.dev
version: v1alpha1
kind: Kptfile

metadata.name: package-b
group: kpt.dev
version: v1alpha1
kind: Kptfile

For more information, see https://g.co/cloud/acm-errors#knv1059

KNV 1060: ManagementConflictError

Multiple repositories cannot declare the same config on one cluster. This is invalid as Config Sync may only sync a single instance of a config to a cluster.

If a config is declared more than once for a cluster, Config Sync syncs the Root repository's version of the config, and the Namespace reconciler displays an error like below:

KNV1060: The "shipping" reconciler cannot manage resources declared in the Root repository. Remove the declaration for this resource from either the Namespace repository, or the Root repository.

metadata.name: default-name
group: rbac.authorization.k8s.io
version: v1
kind: Role

KNV 1061: InvalidRepoSyncError

RepoSync objects must be properly configured in order for Config Sync to sync configuration from Namespace repos. An InvalidRepoSyncError reports that a RepoSync is improperly configured, with a message explicitly stating how to fix it.

For example, if the shipping repository must have a RepoSync named repo-sync, but the RepoSync is named invalid, the nomos command prints the following error.

KNV1061: RepoSyncs must be named "repo-sync", but the RepoSync for Namespace "shipping" is named "invalid"

metadata.name: invalid
group: configsync.gke.io
version: v1alpha1
kind: RepoSync

KNV1062: InvalidKptfileError

This error occurs when the Kptfile doesn't have a valid inventory field. A Kptfile should have a non empty inventory field with both identifier and namespace specified. To fix it, you need to specify the valus for .inventory.identifier and .inventory.namespace in the Kptfile.

Example errors:

KNV1062: Invalid inventory invalid name

metadata.name: default-name
group: kpt.dev
version: v1alpha1
kind: Kptfile

KNV1063: KptfileExistError

This error occurs when Kptfiles are found in the Root repository. Kptfiles are only supported in namespace-scoped repos.

To fix, remove the Kptfiles from the Root repo.

Example errors:

KNV1063: Found Kptfile(s) in the Root Repo. Kptfile(s) are only supported in Namespace Repos. To fix, remove the Kptfile(s) from the Root Repo.

namespace: namespace
metadata.name: default-name
group: kpt.dev
version: v1alpha1
kind: Kptfile

For more information, see https://g.co/cloud/acm-errors#knv1063

KNV1064: InvalidAPIResourcesError

This error indicates that the api-resources.txt file in a repository could not be parsed.

Example errors:

KNV1064: invalid NAMESPACED column value "other" in line:
rbac      other     Role

Re-run "kubectl api-resources > api-resources.txt" in the root policy directory

path: /api-resources.txt

For more information, see https://g.co/cloud/acm-errors#knv1064


KNV1064: unable to find APIGROUP column. Re-run "kubectl api-resources > api-resources.txt" in the root policy directory

path: /api-resources.txt

For more information, see https://g.co/cloud/acm-errors#knv1064


KNV1064: unable to read cached API resources: missing file permissions

path: /api-resources.txt

For more information, see https://g.co/cloud/acm-errors#knv1064

KNV1065: MalformedCRDError

This error occurs when the CustomResourceDefinition is malformed. To fix, check the field specified by the error message and make sure its value is correctly formatted.

Example errors:

KNV1065: malformed CustomResourceDefinition: spec.names.shortNames accessor error: foo is of the type string, expected []interface{}.

path: namespaces/foo/crd.yaml

For more information, see https://g.co/cloud/acm-errors#knv1065

KNV1066: ClusterSelectorAnnotationConflictError

A config object MUST declare ONLY ONE cluster-selector annotation. This error occurs when both the legacy annotation (configmanagement.gke.io/cluster-selector) and the inline annotation (configsync.gke.io/cluster-name-selector) exist.

To fix it, remove one of the annotations from the metadata.annotations field.

For example, if a Namespace config declared both annotations, the nomos command prints the following error:

KNV1066: Config "my-namespace" MUST declare ONLY ONE cluster-selector annotation, but has both inline annotation "configsync.gke.io/cluster-name-selector" and legacy annotation "configmanagement.gke.io/cluster-selector". To fix, remove one of the annotations from:

metadata.name: my-namespace
group:
version: v1
kind: Namespace

For more information, see https://g.co/cloud/acm-errors#knv1066

KNV2001: pathError

This occurs when an OS-level system call accessing a filesystem resource fails.

KNV2002: apiServerError

This occurs when a request accessing the API Server fails.

KNV2003: osError

This occurs when a generic OS-level system call fails.

KNV2004: SourceError

This error indicates that Config Sync cannot read from the repo. It is usually caused by one of the following:

  • Misconfigured ConfigManagement object

    Check for mistakes such as an incorrect value for policyDir. The value of policyDir is included in the error; verify the value against your Git repository.

  • Invalid Git credentials

    Check the logs for the git-sync container for an error such as Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. or Invalid username or password. Authentication failed for ....

    Verify that the Git credentials and the git-creds Secret are configured correctly.

  • Invalid Git repository URL

    Check the logs for the git-sync container for an error such as Repository not found.

  • Invalid Git branch

    Check the logs for the git-sync container for an error such as Remote branch BRANCH_NAME not found in upstream origin.

The error message might not include the full details for what caused the error, but it does provide a command which prints the logs from the git-sync container which might have more information.

If you are using multi-repo:

kubectl logs -n config-management-system -l app=reconciler -c git-sync

If you are not using multi-repo:

kubectl logs -n config-management-system -l app=git-importer -c git-sync

KNV2005: ResourceFightWarning

This error indicates that Config Sync is fighting with another controller over a resource. Such fights consume a high amount of resources and can degrade your performance. Fights are also known as resource contention.

To detect fights, check the Config Sync git-importer logs by running the following command:

kubectl logs --namespace config-management-system deployment/git-importer CONTAINER_NAME

Replace CONTAINER_NAME with either importer, fs- watcher, or git-sync. Since git-importer consists of these three components, you can use any of them to check the git-importer logs. git-sync clones the remote Git repository. importer flattens the repo hierarchy and reconciles it using the API server, checking for errors as it does so. fs- watcher runs the importer container in a mode that logs file system changes for the repository.

If you see KNV2005 in the results, then there is a resource fight.

To find more information about any resource conflicts, watch updates to the resource's YAML file by running the following command:

 kubectl get resource --watch -o yaml

Replace resource with the kind of resource that is being fought over. You can see which resource to add based on the log results.

This command returns a stream of the state of the resource after updates are applied to the API server. You can use a file comparison tool to compare the output.

Some resources should belong to other controllers (for example, some operators install or maintain CRDs). These other controllers automatically remove any metadata specific to Config Sync. If another component in your Kubernetes cluster removes Config Sync metadata, stop managing the resource. For information about how to do this, see Stop managing a managed object.

KNV2006: Config Management Errors

In order to help prevent accidental deletion, Config Sync does not allow you to remove all namespaces or cluster-scoped resources in a single commit. If you want to delete the full set of resources under management, it requires two steps:

  1. Remove all but one namespace or cluster-scoped resource in a first commit and allow Config Sync to sync those changes.
  2. Remove the final resource in a second commit.

KNV2008: APIServerConflictError

This type of error occurs when a resource on the API Server is modified or deleted while Config Sync is also attempting to modify it. If this type of error only appears at startup or infrequently, you can ignore these errors.

If these errors are not transient (persisting multiple minutes), it may indicate a serious issue and nomos status reports resource conflicts.

Example errors:

KNV2008: tried to create resource that already exists: already exists

metadata.name: default-name
group: rbac.authorization.k8s.io
version: v1
kind: Role

For more information, see https://g.co/cloud/acm-errors#knv2008


KNV2008: tried to update resource which does not exist: does not exist

metadata.name: default-name
group: rbac.authorization.k8s.io
version: v1
kind: Role

For more information, see https://g.co/cloud/acm-errors#knv2008


KNV2008: tried to update with stale version of resource: old version

metadata.name: default-name
group: rbac.authorization.k8s.io
version: v1
kind: Role

For more information, see https://g.co/cloud/acm-errors#knv2008

KNV2010: resourceError

This is a generic error indicating a problem with a resource or set of resources. The message includes the specific resources which caused the error.

KNV2010: Resources were improperly formatted.

Affected resources:
source: system/hc.yaml
group: configmanagement.gke.io
kind: Repo

KNV2011: MissingResourceError

This indicates a specific resource is required to proceed, but the resource was not found. For example, Config Sync Operator tried to update a resource, but the resource was deleted while calculating the update.

KNV2012: MultipleSingletonsError

This error reports that more than one instance of an APIResource was found in a context where exactly one of that APIResource is allowed. For example, only one Repo resource may exist on a cluster.

KNV2013: InsufficientPermissionError

This error occurs when a namespace reconciler has insufficient permissions to manage resources. To fix, make sure the reconciler has sufficient permissions.

Example errors:

KNV2013: could not create resources: Insufficient permission. To fix, make sure the reconciler has sufficient permissions.: deployments.apps is forbidden: User 'Bob' cannot create resources

For more information, see https://g.co/cloud/acm-errors#knv2013

KNV9998: InternalError

KNV9998 indicates a problem with the nomos command itself. Please file a bug report with the exact command you ran and the message you received.

Example errors:

KNV9998: we made a mistake: internal error

For more information, see https://g.co/cloud/acm-errors#knv9998

KNV9999: UndocumentedError

You've encountered an error with no documented error message. We haven't yet written documentation specific to the error you encountered.

What's next