Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Admission control webhook with self-signed CA in "caBundle" is not trusted #61171
I have compiled and deployed the test admission webhook here: https://github.com/kubernetes/kubernetes/tree/master/test/images/webhook
I've added a ValidatingWebhookConfiguration to my cluster intercepting namespace creation, just for initial testing:
When trying to create a namespace, admission-control fails with PKI-error (seen below), although the server cert is indeed signed with the certificate given in "caBundle":
Admission webhook log:
What you expected to happen:
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Checking the cert chain with OpenSSL s_client works fine:
.. by the way.. Shouldn't I be able to add multiple certificates to the caBundle? If yes, how?
Self hosted. Kubernetes build from source on Nix 17.09.
Can you include the
Yes, the bundle can contain multiple PEM certificate blocks
nevermind, I missed you included the ca bundle in the description. It needs to be in PEM format:
@liggitt Thanks, and perhaps pardon my stupidity. It is PEM, but without header and footer in my example, because... Adding:
.. gives decode base64: illegal base64 data at input byte 0
.. so it doesn't sound like the parser likes anything other than base64?
Can you please provide an example of how you'd encode it in yaml or json?
to convert from DER to PEM, do
that PEM blob goes in the caBundle, which is a
Works perfectly! Missed the "double-encoding" part, and I think the docs confused me a bit (https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.9/#webhookclientconfig-v1beta1-admissionregistration), where it says type = string.
It is in fact:
:) thanks a lot again!
there is a script https://github.com/morvencao/kube-mutating-webhook-tutorial/blob/master/deployment/webhook-create-signed-cert.sh is useful. for anyone else facing same problem