-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Webhook ServiceReference keeps calling 443 port when there is only one non-443 port in ServiceSpec #61510
Comments
@freehan, thanks for the detailed bug report! |
I actually think that the API specification (or documentation) must change. Not all API servers will have access to look up the Service object and see what ports it defines. If we want to support ports other than 443, the port information must be specified in the webhook object, not discovered by direct Service object lookup |
/assign @jennybuckley |
@liggitt (also just sets 443 in the custom dial wrapper thing https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/serviceresolver.go#L44) |
As a first step, I would adjust the documentation. As noted in #61510 (comment), if we want to support ports other than 443, that information needs to be added to the webhook config object |
Automatic merge from submit-queue (batch tested with PRs 61306, 60270, 62496, 62181, 62234). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Update WebhookClientConfig documentation regarding service ports **What this PR does / why we need it**: Dynamic admission webhooks backed by services [will always use 443](https://github.com/kubernetes/kubernetes/blob/master/staging/src/k8s.io/apiserver/pkg/admission/plugin/webhook/config/client.go#L133) no matter what ports are available. Our [current documentation](https://github.com/kubernetes/api/blob/master/admissionregistration/v1beta1/types.go#L257-L259) says that "If there is only one port open for the service, that port will be used." This PR fixes that piece of documentation. In the future we may wish to support specifying ports other than 443, but the documentation should be fixed first. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes #61510 **Release note**: ```release-note NONE ``` /sig api-machinery
What happened:
Deployed a webhook backend and service as follows:
Please note that there is only 8443 port on the service.
Register the webhook as follows:
Got the following error when creating pods:
What you expected to happen:
Based on https://github.com/kubernetes/api/blob/master/admissionregistration/v1beta1/types.go#L257,
https://webhook-service.kube-system.svc:8443/mutating-pods
should be called. Not the 443 port shown in the error message.How to reproduce it (as minimally and precisely as possible):
Just deploy the same setup and register webhook.
Anything else we need to know?:
Environment:
kubectl version
): HEADClient Version: version.Info{Major:"1", Minor:"10+", GitVersion:"v1.10.0-alpha.1.97+2bbae9ab581bf6-dirty", GitCommit:"2bbae9ab581bf6fc0fb491136c42673c745c190d", GitTreeState:"dirty", BuildDate:"2018-01-22T20:00:24Z", GoVersion:"go1.9.1", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0-alpha.0.470+890bd2174cf566", GitCommit:"890bd2174cf566e663c9cc0768799f7a94dbf6f0", GitTreeState:"clean", BuildDate:"2018-03-12T19:36:42Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
uname -a
): COSThe text was updated successfully, but these errors were encountered: