[Release-1.25] - Don't set enable-aggregator-routing=true when egress-selector-mode=disabled

[brandond]

Backport fix for Don't set enable-aggregator-routing=true when egress-selector-mode=disabled

• Don't set enable-aggregator-routing=true when egress-selector-mode=disabled #7971

[endawkins]

Validated on branch 1.25 with commit 8e945c5 / version 1.25

Environment Details

Infrastructure

• Cloud
• Hosted

Node(s) CPU architecture, OS, and Version:

Linux ip-172-31-25-238 5.19.0-1025-aws #26~22.04.1-Ubuntu SMP Mon Apr 24 01:58:15 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
PRETTY_NAME="Ubuntu 22.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.2 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Cluster Configuration:

1 server

Config.yaml:

cluster-init: true
write-kubeconfig-mode: 644
egress-selector-mode: disabled

Additional files

example_service:

apiVersion: v1
kind: Service
metadata:
  name: example-service
  namespace: kube-system
spec:
  type: ExternalName
  externalName: httpbin.org
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: example-mutating-webhook
webhooks:
- admissionReviewVersions:
  - v1
  - v1beta1
  clientConfig:
    service:
      namespace: kube-system
      name: example-service
      path: /status/502
  failurePolicy: Fail
  matchPolicy: Equivalent
  name: example-mutating-webhook.k3s.io
  namespaceSelector: {}
  objectSelector: {}
  reinvocationPolicy: Never
  rules:
  - apiGroups:
    - ""
    apiVersions:
    - v1
    operations:
    - CREATE
    resources:
    - secrets
    scope: Namespaced
  sideEffects: NoneOnDryRun
  timeoutSeconds: 5

Testing Steps

1. Copy config.yaml

$ sudo mkdir -p /etc/rancher/k3s && sudo cp config.yaml /etc/rancher/k3s

2. Install k3s
3. Deploy the example_service

kubectl apply -f example_service.yaml

4. Run the following command:

kubectl create secret generic -n kube-system test

Replication Results:

• k3s version used for replication:

k3s -v
k3s version v1.25.12+k3s1 (7515237f)
go version go1.20.6

kubectl create secret generic -n kube-system test
error: failed to create secret Internal error occurred: failed calling webhook "example-mutating-webhook.k3s.io": failed to call webhook: Post "https://example-service.kube-system.svc:443/status/502?timeout=5s": unsupported service type "ExternalName"

Validation Results:

• k3s version used for validation:

k3s -v
k3s version v1.25.12+k3s-8e945c53 (8e945c53)
go version go1.20.6

kubectl create secret generic -n kube-system test
error: failed to create secret Internal error occurred: failed calling webhook "example-mutating-webhook.k3s.io": failed to call webhook: Post "https://example-service.kube-system.svc:443/status/502?timeout=5s": tls: failed to verify certificate: x509: certificate is valid for httpbin.org, *.httpbin.org, not example-service.kube-system.svc

Additional context / logs:

N/A