Problem with validating admission webhook

[Adiqq]

Hi, does admission webhook, requires some additional configuration?
I'm using Voyager 6.0.0-rc.0 and k8s 1.9.3 and after adding --enable-admission-webhook to voyager.sh install script, I receive error:

cat ingress-https-test.yaml

apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
  name: test-https-ingress
  namespace: default
  annotations:
    ingress.appscode.com/type: NodePort
    ingress.appscode.com/hsts: "false"
spec:
  tls:
  - secretName: tls-secret
    hosts:
    - "*.a"
  rules:
  - host: "*.a"
    http:
      port: '32100'
      nodePort: '32100'
      paths:
      - backend:
          serviceName: httpbin
          servicePort: '8000'
  - host: "*.a"
    http:
      port: '32101'
      nodePort: '32101'
      paths:
      - backend:
          serviceName: httpbin2
          servicePort: '8000'

❯ kubectl apply -f ingress-https-test.yaml
Error from server (InternalError): error when creating "ingress-https-test.yaml": Internal error occurred: failed calling admission webhook "admission.voyager.appscode.com": Unauthorized```

[tamalsaha]

Do you have RBAC enabled in your cluster? If yes, did you also pass --rbac flag ?

[Adiqq]

Yes, I just tested it to be sure,
voyager.sh --provider=baremetal --rbac works fine. Problem exists with voyager.sh --provider=baremetal --rbac --enable-admission-webhook

[tamalsaha]

ok. I will take a look and update this issue.

[tamalsaha]

@Adiqq, sorry for slow response. Here are few things to you can do to debug the issue:

• First uninstall using the --uninstall flag.
• Then reinstall with the --rbac flag.
• Check that your cluster has aggregate api server enabled. Test that the configmap extension-apiserver-authentication-reader in kube-system namespace has key requestheader-client-ca-file.

kubectl describe configmap -n kube-system extension-apiserver-authentication

• After installation check,

kubectl get apiservice v1beta1.admission.voyager.appscode.com -o yaml

The status section looks like:

status:
  conditions:
  - lastTransitionTime: 2018-02-27T07:59:50Z
    message: all checks passed
    reason: Passed
    status: "True"
    type: Available

[Adiqq]

Hi, for now I modified script to not force validating webhook on k8s >= 1.9 and it works fine, maybe there should be flag --disable-admission-webhook, so it can be easily disabled in case of problems. I'll try to debug it later.

[tamalsaha]

You can set --enable-admission-webhook=false to disable it.

[Adiqq]

Are you sure?
I just glanced at script and found two lines,
if k8s >= 1.9, export VOYAGER_ENABLE_ADMISSION_WEBHOOK=true
https://github.com/appscode/voyager/blob/6.0.0-rc.0/hack/deploy/voyager.sh#L53
if --enable-admission-webhook , export VOYAGER_ENABLE_ADMISSION_WEBHOOK=true
https://github.com/appscode/voyager/blob/6.0.0-rc.0/hack/deploy/voyager.sh#L120

I might be wrong, but won't --enable-admission-webhook=false work equally to --enable-admission-webhook ?

[tamalsaha]

You are right . I misspoke. Need to fix that.

[tamalsaha]

Fixed here #900

[Adiqq]

@tamalsaha
Ok, I finally fixed it.
https://kubernetes.io/docs/admin/kubelet-authentication-authorization/
I set --anonymous-auth=false and that lead to 401 for anonymous user, setting --anonymous-auth=true fixed it.

[tamalsaha]

Great! Thank you!