-
Bug
-
Resolution: Done
-
Normal
-
None
-
4.14, 4.15
Description of problem:
When an admission webhook is defined for API group 'oauth.openshift.io' then the openshift-oauth-apiserver (control-plane) may want to call a webhook on the cluster (data-plane). Currently, this is failing as the service address is reachable only inside the data-plane. Therefor konnectivity is needed for the communication. To make this work, similarly like in the case of openshift-apiserver, a socks5-proxy shall be included in the openshift-oauth-apiserver deployment
Version-Release number of selected component (if applicable):
4.14, 4.15
How reproducible:
Create an admission webhook with the following configuration for API Group 'oauth.openshift.io'
Steps to Reproduce:
1. Create an admission webhook with the following configuration for API Group 'oauth.openshift.io' with rule like:
rules:
- apiGroups:
- 'oauth.openshift.io'
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- '*'
scope: 'Cluster'
2. Trigger a login attempt using oc login with passcode
3. Check the logs of the openshift-oauth-apiserver deployment on the control plane, e.g
kubectl logs -n <namespace> -l app=openshift-oauth-apiserver | grep "failed calling webhook"
Actual results:
Log contains errors like W0328 13:51:20.825816 1 dispatcher.go:205] Failed calling webhook, failing open mywebhook.test.io: failed calling webhook "mywebhook.test.io": failed to call webhook: Post "https://admission-webhook.default.svc:443/validate?timeout=5s": dial tcp: lookup admission-webhook.default.svc on 172.19.0.10:53: no such host E0328 13:51:20.826302 1 dispatcher.go:213] failed calling webhook "mywebhook.test.io": failed to call webhook: Post "https://admission-webhook.default.svc:443/validate?timeout=5s": dial tcp: lookup admission-webhook.default.svc on 172.19.0.10:53: no such host
Expected results:
Webhook call must be successful
Additional info:
package-server may have similar problem, need to validate it
- is duplicated by
-
-
- Closed
-
