验证 Webhook 配置未收到任何请求。

huangapple
go评论72阅读模式
英文:

validating webhook configuration not getting any request

问题

我已经定义了一个带有自定义控制器的validatingWebhook配置,该控制器部署为一个部署。下面是validatingWebhook的代码片段:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: validate-webhook
  namespace: admission-test
webhooks:
  - name: admission.validate.com
    namespaceSelector:
      matchExpressions:
        - key: app
          operator: NotIn
          values: ["admission-test"]
rules:
  - apiGroups:   ["*"]
    apiVersions: ["v1","v1beta1","v1alpha1"]
    operations:  ["CREATE","UPDATE"]
    resources:   ["deployments","daemonsets","statefulsets","cronjobs", "rollouts", "jobs"]
    scope:       "Namespaced"
clientConfig:
  service:
    namespace: admission-test
    name: admission-test
    #service port
    port: 8090
    path: /verify
admissionReviewVersions: ["v1"]
sideEffects: None

在我的应用程序中,我定义了一个http Handler,代码片段如下:

http.HandleFunc("/verify", servePod)
http.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
    w.WriteHeader(200)
    klog.Infoln("hittinh healthz")
    w.Write([]byte("ok"))
})
server := &http.Server{
    Addr:      fmt.Sprintf(":%d", port),
    TLSConfig: admission.ConfigTLS(config),
}

我正在尝试创建另一个简单的nginx部署,可以在这里找到,但是当我尝试在我编写的自定义控制器中打印/verify的请求体时,我得不到任何内容。实际上,就好像其他部署没有经过准入控制器一样。

对于这种情况,你有什么建议吗?非常感谢!

运行的Kubernetes版本:

kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.4", GitCommit:"3cce4a82b44f032d0cd1a1790e6d2f5a55d20aae", GitTreeState:"clean", BuildDate:"2021-08-11T18:16:05Z", GoVersion:"go1.16.7", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.4", GitCommit:"3cce4a82b44f032d0cd1a1790e6d2f5a55d20aae", GitTreeState:"clean", BuildDate:"2021-08-11T18:10:22Z", GoVersion:"go1.16.7", Compiler:"gc", Platform:"linux/amd64"}

Kubernetes集群通过Docker桌面运行。

英文:

I have defined a validatingWebhook configuration with a custom controller that is deployed as a deployment, snippet below for validatingWebhook:

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: validate-webhook
  namespace: admission-test
webhooks:
  - name: admission.validate.com
   namespaceSelector:
  matchExpressions:
    - key: app
      operator: NotIn
      values: ["admission-test"]
rules:
  - apiGroups:   ["*"]
    apiVersions: ["v1","v1beta1","v1alpha1"]
    operations:  ["CREATE","UPDATE"]
    resources:   ["deployments","daemonsets","statefulsets","cronjobs", "rollouts", "jobs"]
    scope:       "Namespaced"
clientConfig:
  service:
    namespace: admission-test
    name: admission-test
    #service port
    port: 8090
    path: /verify
admissionReviewVersions: ["v1"]
sideEffects: None

and on my application I have defined a http Handler, snippet is below:

	http.HandleFunc("/verify", servePod)
http.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
	w.WriteHeader(200)
	klog.Infoln("hittinh healthz")
	w.Write([]byte("ok"))
})
server := &http.Server{
	Addr:      fmt.Sprintf(":%d", port),
	TLSConfig: admission.ConfigTLS(config),
}

I am trying to create another simple nginx deployment, which can be found here but when I try to print the the body of /verify in customer controller that I wrote, I don't get anything. In fact it's like the other deployments are not passing through the admission controller.

Any pointers on why this is happening? Much appreciated

running kubernetes version

kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.4", GitCommit:"3cce4a82b44f032d0cd1a1790e6d2f5a55d20aae", GitTreeState:"clean", BuildDate:"2021-08-11T18:16:05Z", GoVersion:"go1.16.7", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.4", GitCommit:"3cce4a82b44f032d0cd1a1790e6d2f5a55d20aae", GitTreeState:"clean", BuildDate:"2021-08-11T18:10:22Z", GoVersion:"go1.16.7", Compiler:"gc", Platform:"linux/amd64"}

k8s cluster is running via docker desktop

答案1

得分: 1

它通过验证控制器,因为它被设置为 scope: "Namespaced",而且我在你的nginx部署文件中没有看到任何指定的 namespace。你可以添加任何有效的 namespace 或将 scope 更改为 "*"

你可以在官方文档中找到更多关于规则的信息。

英文:

It's passing through the validation controller due to it's set as scope: "Namespaced" and I can't see any namespace specified in your nginx deployment file. You can add any working namespace or change your scope to "*"

You can find more information about the rules in the official documentation

huangapple
  • 本文由 发表于 2021年12月9日 14:46:34
  • 转载请务必保留本文链接:https://go.coder-hub.com/70285714.html
  • go
  • kubernetes
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定