You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The purpose of the Gatekeeper post-install webhook is to probe the Gatekeeper Webhook API for availability. The post-install webhook is designed to retry probe requests until a time defined in postInstall.probeWebhook.waitTimeout. However, the probe webhook exits early when the connection is refused because the Gatekeeper Webhook Pods are not listening on the service port yet.
During the installation of Gatekeeper, if the postInstall.labelNamespace flag is set to false and postInstall.probeWebhook is set to true, the installation of Gatekeeper may fail because the gatekeeper-probe-webhook-post-install Job will exit immediately rather than probing until the specified timeout. Once the Job fails 6 times, the Helm installation will fail because the Job has reached the default backoff limit.
What did you expect to happen:
The post-install webhook should continue to probe the Gatekeeper Webhook API even if the connection is refused because Gatekeeper Webhook Pods are not listening on the service port yet. In order to do this, the --retry--connrefused flag should be added to the probe webhook command.
Anything else you would like to add:
We should also consider setting the backoffLimit of the post-install webhook to 0. In its current state, the webhook will retry probe requests until a time defined in postInstall.probeWebhook.waitTimeout, but this will happen 6 times before a Helm Installation actually fails.
What steps did you take and what happened:
The purpose of the Gatekeeper post-install webhook is to probe the Gatekeeper Webhook API for availability. The post-install webhook is designed to retry probe requests until a time defined in
postInstall.probeWebhook.waitTimeout
. However, the probe webhook exits early when the connection is refused because the Gatekeeper Webhook Pods are not listening on the service port yet.During the installation of Gatekeeper, if the
postInstall.labelNamespace
flag is set tofalse
andpostInstall.probeWebhook
is set totrue
, the installation of Gatekeeper may fail because thegatekeeper-probe-webhook-post-install
Job will exit immediately rather than probing until the specified timeout. Once the Job fails 6 times, the Helm installation will fail because the Job has reached the default backoff limit.What did you expect to happen:
The post-install webhook should continue to probe the Gatekeeper Webhook API even if the connection is refused because Gatekeeper Webhook Pods are not listening on the service port yet. In order to do this, the
--retry--connrefused
flag should be added to the probe webhook command.Anything else you would like to add:
We should also consider setting the
backoffLimit
of the post-install webhook to 0. In its current state, the webhook will retry probe requests until a time defined inpostInstall.probeWebhook.waitTimeout
, but this will happen 6 times before a Helm Installation actually fails.Images
Probe Webhook Retrying 6 times
Log Output of Probe Webhook
Helm Installation Faliure
PostInstall Helm Configurations
Environment:
The text was updated successfully, but these errors were encountered: