New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Helm update fails if 6443/tcp is missing from webhook egress networkpolicy #5787
Comments
Here is a recap of the investigation discussion we had in the PR: By default, network policies are "allow all", including with OVN-kubernetes (source). This is why the cert-manager controller pod is able to talk to the Kubernetes API server without a problem since there is no network policy attached to it, thus "allow all". When using When the webhook pod tries to talk to the API server, the packet's destination IPs are re-written: If you would like to know if you are also affected by this issue, check whether your Kubernetes API server is served on port 6443 by running the following command: $ k get endpoints -n default kubernetes
NAME ENDPOINTS AGE
kubernetes 100.64.0.1:6443 26d The reason other people haven't hit this issue until today is because most Kubernetes clusters use $ k get endpoints -n default kubernetes
NAME ENDPOINTS AGE
kubernetes 104.199.89.236:443 3y140d And here is a diagram showing the webhook trying to open a TCP connection to kube-apiserver:
|
Describe the bug:
When updating cert-manager from v1.8.0 to v1.11.0 on OKD 4.12 a Network Policy with egress rules for the new webhook pod is created.
When afterwards the new webhook deployment is applied the resulting pod cannot connect to
https://172.30.0.1:443/api
thus helm install fails.I understand this might be a bug verry specific to our environment but it's an easy fix.
Log output before fix:
And after:
Expected behaviour:
The webhook pod shall start without timeout error.
Steps to reproduce the bug:
Anything else we need to know?:
Environment details::
/kind bug
The text was updated successfully, but these errors were encountered: