-
Bug
-
Resolution: Done
-
Critical
-
None
-
None
When ksvc is created under with ServiceMesh, it god the following error.
$ kn service create hello-example --image=gcr.io/knative-samples/helloworld-go Error: Internal error occurred: failed calling webhook "webhook.serving.knative.dev": Post "https://webhook.knative-serving.svc:443/defaulting?timeout=10s": context deadline exceeded Run 'kn --help' for usage
We need to add NetworkPolicy for the webhook.
NOTE
This issue does not happen when we include "default" namespace in SMMR.
The kube-apiserver uses hostNetwork*1.
$ oc get pod -n openshift-kube-apiserver kube-apiserver-ip-10-0-189-152.ap-southeast-1.compute.internal -o jsonpath="{.spec.hostNetwork}" true
According to the doc, the traffic from host network pod gets netid:0 VNID and the default namespace is assigned netid:0. So when default namespace is in SMMR, ServiceMesh adds maistra.io/member-of=istio-system label to the namespace, which means the traffic from apiserver was allowed.
OpenShift docs[1] explains about it for Ingress Controller, but apiserver also uses HostNetwork and so it happens the same.
When running on the host network, the traffic from the Ingress Controller is assigned the netid:0 Virtual Network ID (VNID).
Ingress Controller. With OpenShift SDN, the default namespace is assigned the netid:0 VNID and you can allow traffic from the default Ingress Controller by labeling your default namespace with network.openshift.io/policy-group: ingress.