Hi, I followed your guide and deployed the webhook outside the cluster, but the error happens when the webhook is called
I used ubuntu 20.04, and the cluster is created by kind, Kubernetes version:1.23.4, and I did not change anything except the IP address
Could you please help me out TAT
Thank you sooooo much!
Error from server (InternalError): Internal error occurred: failed calling webhook "denyenv.zeng.dev": failed to call webhook: Post "https://192.168.230.129:8000/validate?timeout=3s": http: server gave HTTP response to HTTPS client
I use cert-manager for TLS certificate management
(Actually, I tried to use Kubernetes CertificateSigningRequest as well, but the same error happens QAQ)
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
and I verified the installation
root@ren-virtual-machine:/home/ren/goworkplace/src/webhook# kubectl get pods --namespace cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-64d9bc8b74-fmqll 1/1 Running 0 73s
cert-manager-cainjector-6db6b64d5f-z6k52 1/1 Running 0 73s
cert-manager-webhook-6c9dd55dc8-vz4n5 1/1 Running 0 73s
after that, I followed your guide to create the selfsigned-issuer, the secret and the webhook configuration
root@ren-virtual-machine:/home/ren/goworkplace/src/webhook# kubectl apply -f k-cert-manager.yaml
issuer.cert-manager.io/denyenv-selfsigned-issuer created
certificate.cert-manager.io/denyenv-tls-secret created
root@ren-virtual-machine:/home/ren/goworkplace/src/webhook# kubectl get ValidatingWebhookConfiguration denyenv -o yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: default/denyenv-tls-secret
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"admissionregistration.k8s.io/v1","kind":"ValidatingWebhookConfiguration","metadata":{"annotations":{"cert-manager.io/inject-ca-from":"default/denyenv-tls-secret"},"name":"denyenv"},"webhooks":[{"admissionReviewVersions":["v1"],"clientConfig":{"caBundle":"","url":"https://192.168.230.129:8000/validate"},"failurePolicy":"Fail","matchPolicy":"Exact","name":"denyenv.zeng.dev","objectSelector":{"matchExpressions":[{"key":"app","operator":"NotIn","values":["denyenv"]}]},"rules":[{"apiGroups":[""],"apiVersions":["v1"],"operations":["CREATE"],"resources":["pods"],"scope":"*"}],"sideEffects":"None","timeoutSeconds":3}]}
creationTimestamp: "2022-05-13T10:14:03Z"
generation: 2
name: denyenv
resourceVersion: "1486"
uid: 930c086a-c4b7-402b-80c2-a602ff69574b
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURXVENDQWtHZ0F3SUJBZ0lRZlViK0Rwc1R5bWd3YWhPVDEvKzdhekFOQmdrcWhraUc5dzBCQVFzRkFEQXQKTVJFd0R3WURWUVFLRXdoNlpXNW5MbVJsZGpFWU1CWUdBMVVFQXhNUFpHVnVlV1Z1ZGk1a1pXWmhkV3gwTUI0WApEVEl5TURVeE16RXdNVE15TjFvWERUSXpNRFV4TXpFd01UTXlOMW93TFRFUk1BOEdBMVVFQ2hNSWVtVnVaeTVrClpYWXhHREFXQmdOVkJBTVREMlJsYm5sbGJuWXVaR1ZtWVhWc2REQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFLTWkvRmlSQVlmWTA3ZFRxUUVlbEVRc1ErOEVWRjZuMVpoL1N5RkR5RytHcnVmZQp3OStvb0xkbEg3V3BnSWRZZ3JvYjVKVkVSbHRCQ1ZNeHRDc2VFandLOCtlSWNJOEx6bXY0UFJpRDFzVnQyeHp0ClBYTUk1YkMzNlZaaGtXRlp2eUJRWGZBYnVQWExyazRLTTk1TFFBVWdzYnROQ0QwWnNoSGY5VzRnRG9pOTgrc1EKc2svZE15ZEFYd3NWbmlWNGR6dmVnTXd4Qy8wUzNKcm1SU2RsY0xhTTRmOTEvQU5UazZ0aUcrQmNwNmtNSUJYWgpkZ1RzTmovWVk2b3BQSXVzdm42TXU4TlBkZnhPM2VYMmU0dHZ4Z2VSS0hiMzRuQjlucU1SR2pPTko1ZUV3VXZZCmhNY0k0cmFwbkxTc0F5UDBJbDdyNks1cVB3ZmtIUTZSVzBUK1F0RUNBd0VBQWFOMU1ITXdEZ1lEVlIwUEFRSC8KQkFRREFnV2dNQk1HQTFVZEpRUU1NQW9HQ0NzR0FRVUZCd01CTUF3R0ExVWRFd0VCL3dRQ01BQXdQZ1lEVlIwUgpCRGN3TllJSFpHVnVlV1Z1ZG9JUFpHVnVlV1Z1ZGk1a1pXWmhkV3gwZ2hOa1pXNTVaVzUyTG1SbFptRjFiSFF1CmMzWmpod1RBcU9hQk1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQkh2TkxzMXkrVDVva20xbnR3V2oySUJ4bHYKRG43QnhnUUx2bGc4NG1kaXFNNEl1VENkd2E5M2l6M2dFVWlzNTU1MWZXZjhxUGExMEdnSlVFOWQzSWNXM3NacwpwbEMvRXJCM2NUWnNZMUFFQVByWWNsRVlhRFZ5NTB6Y2htV0xqNEdqcG0yVUpBS0VxdFcvOVM2TGF4c0VkTVpKCkRrTmZLN3liR2ZoUGNlOWU5SDdvZnZwZTZvdDBaSUpIcFNsT0tYTDgzTzJYY2dqZkhrLzhENWVyaXZHWnlmaDYKUGVTZUhVQWhJbUhrbVNXY2VCWVEzTE9jOFR3RUtSdjhjYXRNTXd1SHZvdklGV1E3emFPS1dEVTJLeDVIaVk3agpjWmRCb0xYUEdEK1ZTK3BtNjBsQXNTMDNhOTVOaUpXMmN5eGxMRnZNZS84ZzA5Mk5CWVJrb1ozd2gvYjQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
url: https://192.168.230.129:8000/validate
failurePolicy: Fail
matchPolicy: Exact
name: denyenv.zeng.dev
namespaceSelector: {}
objectSelector:
matchExpressions:
- key: app
operator: NotIn
values:
- denyenv
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
scope: '*'
sideEffects: None
timeoutSeconds: 3
after that, I get the cert and key, then run the webhook on vscode, then test
root@ren-virtual-machine:/home/ren/goworkplace/src/webhook# kubectl get secret denyenv-tls-secret -o jsonpath={.data.'tls\.crt'} | base64 -d > tls.crt
root@ren-virtual-machine:/home/ren/goworkplace/src/webhook# kubectl get secret denyenv-tls-secret -o jsonpath={.data.'tls\.key'} | base64 -d > tls.
root@ren-virtual-machine:/home/ren/goworkplace/src/webhook# kubectl run nginx --image nginx --env='FOO=BAR'
Error from server (InternalError): Internal error occurred: failed calling webhook "denyenv.zeng.dev": failed to call webhook: Post "https://192.168.230.129:8000/validate?timeout=3s": http: server gave HTTP response to HTTPS client