IBM Cloud Docs
Common issues with worker nodes

Common issues with worker nodes

Virtual Private Cloud Classic infrastructure

Review common error messages and learn how to resolve them. Messages might begin with the prefix, '<provider>' infrastructure exception:, where <provider> identifies which infrastructure provider the worker node uses.

Account prohibited from ordering

Message:

Your account is currently prohibited from ordering 'Computing Instances'.

Description and resolution:

Your IBM Cloud infrastructure account might be restricted from ordering compute resources. Contact IBM Cloud support by opening an IBM Cloud support case.

Could not place order

Message:

Could not place order.

Could not place order. There are insufficient resources behind router 'router_name' to fulfill the request for the following guests: 'worker_id'.

Description and resolution: The zone that you selected might not have enough infrastructure capacity to provision your worker nodes. Or, you might have exceeded a limit in your IBM Cloud infrastructure account.

To resolve, try one of the following options:

  • Infrastructure resource availability in zones can fluctuate often. Wait a few minutes and try again.
  • For a single zone cluster, create the cluster in a different zone. For a multizone cluster, add a zone to the cluster.
  • Specify a different pair of public and private VLANs for your worker nodes in your IBM Cloud infrastructure account. For worker nodes that are in a worker pool, you can use the ibmcloud ks zone network-set [command](/docs/containers?topic=containers-kubernetes-service-cli
  • Contact your IBM Cloud infrastructure account manager to verify that you don't exceed an account limit, such as a global quota.
  • Open an IBM Cloud infrastructure support case.

Could not obtain network VLAN

Message:

Could not obtain network VLAN with ID: <vlan-id>

Description and resolution:

Your worker node could not be provisioned because the selected VLAN ID could not be found for one of the following reasons:

  • You might have specified the VLAN number instead of the VLAN ID. The VLAN number is 3 or 4 digits long, whereas the VLAN ID is 7 digits long. To retrieve the VLAN ID, run ibmcloud ks vlan ls --zone <zone>.
  • The VLAN ID might not be associated with the IBM Cloud infrastructure account that you use. To list available VLAN IDs for your account, run ibmcloud ks vlan ls --zone <zone> . To change the IBM Cloud infrastructure account, see ibmcloud ks credential set.

Location invalid

Message:

The location provided for this order is invalid

Description and resolution:

Your IBM Cloud infrastructure is not set up to order compute resources in the selected data center. Contact IBM Cloud support to verify that you account is set up correctly.

Permissions error

Message:

The user does not have the necessary classic infrastructure permissions to add servers

'Item' must be ordered with permission.

The credentials could not be validated.

'<Provider>' infrastructure request not authorized

Description and resolution:

You might not have the required permissions to perform the action in your IBM Cloud infrastructure portfolio, or you are using the wrong infrastructure credentials. See Setting up the API key to enable access to the infrastructure portfolio.

Firewall error

Message:

Worker unable to talk to IBM Cloud Kubernetes Service servers. Please verify your firewall setup is allowing traffic from this worker.

Description and resolution:

If you have a firewall, configure your firewall settings to allow outgoing traffic to the appropriate ports and IP addresses.

Check whether your cluster does not have a public IP by running ibmcloud ks worker ls --cluster <mycluster>. If no public IP is listed, then your cluster has only private VLANs. * If you want the cluster to have only private VLANs, set up your VLAN connection and your firewall. * If you created the cluster with only the private cloud service endpoint before you enabled your account for VRF and service endpoints, your workers can't connect to the master. Try setting up the public cloud service endpoint so that you can use your cluster until your support cases are processed to update your account. If you still want a private cloud service endpoint only cluster after your account is updated, you can then disable the public cloud service endpoint. * If you want the cluster to have a public IP, add new worker nodes with both public and private VLANs.

Hard reboot

Message:

The worker did not respond to the soft reboot request. A hard reboot might be necessary.

Description and resolution:

Although you issued a reboot on your worker node, the worker node is unresponsive. You can rerun the reboot command with the --hard option to power off the worker node, or run the worker reload command.

Instance can't be found

Message:

can't create IMS portal token, as no IMS account is linked to the selected BSS account

Provided user not found or active

User account is currently cancel_pending.

The worker node instance '<ID>' can't be found. Review '<provider>' infrastructure user permissions.

The worker node instance can't be found. Review '<provider>' infrastructure user permissions.

The worker node instance can't be identified. Review '<provider>' infrastructure user permissions.

Description and resolution:

The owner of the API key that is used to access the IBM Cloud infrastructure portfolio does not have the required permissions to perform the action, or might be pending deletion.

As the user, follow these steps:

  1. If you have access to multiple accounts, make sure that you are logged in to the account where you want to work with IBM Cloud Kubernetes Service.
  2. Run ibmcloud ks api-key info --cluster <cluster_name_or_ID> to view the current API key owner that is used to access the IBM Cloud infrastructure portfolio.
  3. Run ibmcloud account list to view the owner of the IBM Cloud account that you currently use.
  4. Contact the owner of the IBM Cloud account and report that the API key owner has insufficient permissions in IBM Cloud infrastructure or might be pending to be deleted.

As the account owner, follow these steps:

  1. Review the required classic permissions in IBM Cloud infrastructure to perform the action that previously failed. For the VPC infrastructure provider, the API key owner must have the Administrator platform access role.
  2. Fix the permissions of the API key owner or create a new API key by using the ibmcloud ks api-key reset --region <region> command.
  3. If you or another account admin manually set IBM Cloud infrastructure credentials in your account, run ibmcloud ks credential unset --region <region> to remove the credentials from your account.