Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-55266

Problem with validatingWebhook on Hosted Control Plane

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Major Major
    • 4.15.z
    • 4.15.z, 4.17.z, 4.16.z, 4.18.z
    • HyperShift
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • In Progress
    • Bug Fix
    • Hide
      * Previously, when you created validating webhook for a user or group on a resource managed by the OpenShift OAuth API server, the webhook was not triggered because the OAuth APIs were not reachable through the konnectivity tunnel. With this release, adding a `konnectivity-proxy` sidecar to the OAuth API server resolves the issue and enables proper communication between the server and the data plane. (link:https://issues.redhat.com/browse/OCPBUGS-55266[OCPBUGS-55266]).
      Show
      * Previously, when you created validating webhook for a user or group on a resource managed by the OpenShift OAuth API server, the webhook was not triggered because the OAuth APIs were not reachable through the konnectivity tunnel. With this release, adding a `konnectivity-proxy` sidecar to the OAuth API server resolves the issue and enables proper communication between the server and the data plane. (link: https://issues.redhat.com/browse/OCPBUGS-55266 [ OCPBUGS-55266 ]).
    • None
    • None
    • None
    • None

      This is a clone of issue OCPBUGS-54914. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-54841. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-54411. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-52190. The following is the description of the original issue:

      Description of problem:

      

{code:java}
Suspect a with validatingWebhook on OpenShift Cluster with Hosted control plane (HyperShift).

Based on error, it looks that konnectivity service ( https://hypershift-docs.netlify.app/reference/konnectivity/) is not proxying request from API pod into service for validatingWebhook ( from control plane to dataplane ).


To test validationwebhook, i'm using kyverno.

Steps to re-produce problem 
1. deploy kyverno
- Kyverno is deployed with values kyverno-helm-values.yaml ( see attachments ).

Kyverno is deployed without any problem.

2. create user group (group-create.yaml)

3. create kyverno clusterpolicy ( app-project-create.yaml )
- this policy creates project group-test in Openshift cluster, when group with name GROUP-TEST exists

4. create another test group ( group-create-test.yaml )
oc apply -f group-create-test.yaml --loglevel 10

- it is no possible to create another group due to error where api server cannot reach https://kyverno-svc.kyverno.svc:443/validate/fail?timeout=10s 
   - note DNS error .


          Version-Release number of selected component (if applicable):{code:none}

4.18.2

      How reproducible:

      Everytime

      Steps to Reproduce:

          1. As mentioned above
    2.
    3.

      Actual results:

      unable to add additional test group

      Expected results:

      
Should be able to add additional test group

      Additional info:

      
Able to replicate the issue locally.

              wk2019 Ke Wang
              openshift-crt-jira-prow OpenShift Prow Bot
              None
              None
              Ke Wang Ke Wang
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: