[英]multiple ingress-nginx in kubernetes not validating webhook not working
As stated in the title, I currently have a configuration with 2 ingress-nginx v1.0.0 on gke v1.20.10.如标题所述,我目前在 gke v1.20.10 上配置了 2 个 ingress-nginx v1.0.0。
When I deploy one alone the configuration is working and I have no issue, but when I deploy the second one the validatingwebhook and then try to deploy an ingress the 2 validatingwebhook try to evaluate the newly created ingress.当我单独部署一个时,配置工作正常并且我没有问题,但是当我部署第二个 validatingwebhook 然后尝试部署一个入口时,2 个 validatingwebhook 尝试评估新创建的入口。
This result in this error:这导致了这个错误:
**Error from server (InternalError): error when creating "ingress-example.yaml": Internal error occurred: failed calling webhook "validate.nginx-public.ingress.kubernetes.io": Post "https://ingress-nginx-controller-admission-public.ingress-nginx.svc:443/networking/v1/ingresses?timeout=10s": x509: certificate is valid for ingress-nginx-controller-admission-private, ingress-nginx-controller-admission-private.ingress-nginx.svc, not ingress-nginx-controller-admission-public.ingress-nginx.svc**
I checked and everything seems to be correctly separated, my validatingwebhook is deployed like that, the {{ ingress_type }} is a placeholder for -public or -private:我检查了一下,一切似乎都正确分开了,我的 validatingwebhook 就是这样部署的,{{ ingress_type }} 是 -public 或 -private 的占位符:
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/component: admission-webhook
name: ingress-nginx-admission{{ ingress_type }}
webhooks:
- name: validate.nginx{{ ingress_type }}.ingress.kubernetes.io
matchPolicy: Equivalent
objectSelector:
matchLabels:
ingress-nginx : nginx{{ ingress_type }}
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
namespace: ingress-nginx
name: ingress-nginx-controller-admission{{ ingress_type }}
path: /networking/v1/ingresses
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/component: controller
name: ingress-nginx-controller-admission{{ ingress_type }}
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
I can't seem to find a solution, there is an old github issue on that with no answer, maybe I'm doing something wrong but I just can't see it.我似乎找不到解决方案,有一个旧的 github 问题没有答案,也许我做错了什么但我看不到它。
As asked in comment, here is the ingress-example I'm trying to deploy, this works perfectly fine with only one ingress, not with two:正如评论中所问,这是我正在尝试部署的入口示例,它只适用于一个入口,而不适用于两个入口:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: nginx-private
# external-dns.alpha.kubernetes.io/target: "IP"
labels:
ingress-nginx : nginx-public
spec:
rules:
- host: hello.MYDOMAINHERE
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 8080
So for those that may encounter this error.所以对于那些可能会遇到这个错误的人。
I tried different things before finding what was wrong.在找到问题所在之前,我尝试了不同的方法。 You have to rename all the labels but the version of the ingress-nginx, I did not think that it would break for so little, but it does.
你必须重命名所有标签,但 ingress-nginx 的版本,我不认为它会破坏这么少,但确实如此。 In the end I'm using something like this:
最后我使用的是这样的:
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
app.kubernetes.io/instance: ingress-nginx{{ ingress_type }}
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/component: admission-webhook{{ ingress_type }}
name: ingress-nginx-admission{{ ingress_type }}
webhooks:
- name: validate.nginx{{ ingress_type }}.ingress.kubernetes.io
matchPolicy: Equivalent
objectSelector:
matchLabels:
ingress-nginx : nginx{{ ingress_type }}
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
namespace: ingress-nginx
name: ingress-nginx-controller-admission{{ ingress_type }}
path: /networking/v1/ingresses
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
app.kubernetes.io/instance: ingress-nginx{{ ingress_type }}
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/component: controller{{ ingress_type }}
name: ingress-nginx-controller-admission{{ ingress_type }}
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
I think in this case it's really important to do the same on all the resources.我认为在这种情况下,对所有资源执行相同操作非常重要。
did this solution work for having Webhook validating base on the ingressClass that is specified in the ingrass.yaml object?此解决方案是否适用于基于 ingrass.yaml object 中指定的 ingressClass 进行 Webhook 验证? I guess not.
我猜不是。 In my case, lets say I have: NamespaceA, IngressControllerA with ingressClassA and ValidatingWebHookA and in a different namespace NamespaceB, IngressControllerB with ingressClassB and ValidatingWebHookB
在我的例子中,假设我有:NamespaceA、IngressControllerA 与 ingressClassA 和 ValidatingWebHookA 以及在不同的命名空间 NamespaceB、IngressControllerB 与 ingressClassB 和 ValidatingWebHookB
Now, if I create ingress with ingressClassA.现在,如果我使用 ingressClassA 创建入口。 ValidatingWebHookB seems to validating it and admitting it to IngressControllerA.
ValidatingWebHookB 似乎在验证它并将其承认给 IngressControllerA。 Which is fine but if I remove ingressControllerB, then It wont work anymore.
这很好,但如果我删除 ingressControllerB,那么它将不再工作。 Complaining serviceB for the validatingWebhookB is not available.
抱怨 validatingWebhookB 的 serviceB 不可用。 I was hoping they would be complelety separate from each other.
我希望它们彼此完全分开。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.