kubernetes 中的多个 ingress-nginx 未验证 webhook 无法正常工作
multiple ingress-nginx in kubernetes not validating webhook not working
如标题所述,我目前在 gke v1.20.10 上配置了 2 ingress-nginx v1.0.0。
当我单独部署一个时,配置工作正常,我没有问题,但是当我部署第二个 validatingwebhook,然后尝试部署一个入口时,第二个 validatingwebhook 尝试评估新创建的入口。
导致此错误:
**Error from server (InternalError): error when creating "ingress-example.yaml": Internal error occurred: failed calling webhook "validate.nginx-public.ingress.kubernetes.io": Post "https://ingress-nginx-controller-admission-public.ingress-nginx.svc:443/networking/v1/ingresses?timeout=10s": x509: certificate is valid for ingress-nginx-controller-admission-private, ingress-nginx-controller-admission-private.ingress-nginx.svc, not ingress-nginx-controller-admission-public.ingress-nginx.svc**
我检查了一下,一切似乎都正确分开了,我的 validatingwebhook 就是这样部署的,{{ ingress_type }} 是 -public 或 -private:[=14= 的占位符]
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/component: admission-webhook
name: ingress-nginx-admission{{ ingress_type }}
webhooks:
- name: validate.nginx{{ ingress_type }}.ingress.kubernetes.io
matchPolicy: Equivalent
objectSelector:
matchLabels:
ingress-nginx : nginx{{ ingress_type }}
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
namespace: ingress-nginx
name: ingress-nginx-controller-admission{{ ingress_type }}
path: /networking/v1/ingresses
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/component: controller
name: ingress-nginx-controller-admission{{ ingress_type }}
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
我似乎找不到解决方案,有一个旧的 github 问题没有答案,也许我做错了什么但我看不到它。
正如评论中所问,这是我正在尝试部署的 ingress-example,这在只有一个入口而不是两个入口时工作得很好:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: nginx-private
# external-dns.alpha.kubernetes.io/target: "IP"
labels:
ingress-nginx : nginx-public
spec:
rules:
- host: hello.MYDOMAINHERE
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 8080
所以对于那些可能遇到这个错误的人。
在发现错误之前,我尝试了不同的方法。你必须重命名所有标签,但 ingress-nginx 的版本除外,我不认为它会因为这么少而中断,但它确实如此。最后我使用了这样的东西:
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
app.kubernetes.io/instance: ingress-nginx{{ ingress_type }}
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/component: admission-webhook{{ ingress_type }}
name: ingress-nginx-admission{{ ingress_type }}
webhooks:
- name: validate.nginx{{ ingress_type }}.ingress.kubernetes.io
matchPolicy: Equivalent
objectSelector:
matchLabels:
ingress-nginx : nginx{{ ingress_type }}
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
namespace: ingress-nginx
name: ingress-nginx-controller-admission{{ ingress_type }}
path: /networking/v1/ingresses
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
app.kubernetes.io/instance: ingress-nginx{{ ingress_type }}
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/component: controller{{ ingress_type }}
name: ingress-nginx-controller-admission{{ ingress_type }}
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
我认为在这种情况下,对所有资源执行相同操作非常重要。
如标题所述,我目前在 gke v1.20.10 上配置了 2 ingress-nginx v1.0.0。
当我单独部署一个时,配置工作正常,我没有问题,但是当我部署第二个 validatingwebhook,然后尝试部署一个入口时,第二个 validatingwebhook 尝试评估新创建的入口。
导致此错误:
**Error from server (InternalError): error when creating "ingress-example.yaml": Internal error occurred: failed calling webhook "validate.nginx-public.ingress.kubernetes.io": Post "https://ingress-nginx-controller-admission-public.ingress-nginx.svc:443/networking/v1/ingresses?timeout=10s": x509: certificate is valid for ingress-nginx-controller-admission-private, ingress-nginx-controller-admission-private.ingress-nginx.svc, not ingress-nginx-controller-admission-public.ingress-nginx.svc**
我检查了一下,一切似乎都正确分开了,我的 validatingwebhook 就是这样部署的,{{ ingress_type }} 是 -public 或 -private:[=14= 的占位符]
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/component: admission-webhook
name: ingress-nginx-admission{{ ingress_type }}
webhooks:
- name: validate.nginx{{ ingress_type }}.ingress.kubernetes.io
matchPolicy: Equivalent
objectSelector:
matchLabels:
ingress-nginx : nginx{{ ingress_type }}
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
namespace: ingress-nginx
name: ingress-nginx-controller-admission{{ ingress_type }}
path: /networking/v1/ingresses
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/component: controller
name: ingress-nginx-controller-admission{{ ingress_type }}
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
我似乎找不到解决方案,有一个旧的 github 问题没有答案,也许我做错了什么但我看不到它。
正如评论中所问,这是我正在尝试部署的 ingress-example,这在只有一个入口而不是两个入口时工作得很好:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: nginx-private
# external-dns.alpha.kubernetes.io/target: "IP"
labels:
ingress-nginx : nginx-public
spec:
rules:
- host: hello.MYDOMAINHERE
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 8080
所以对于那些可能遇到这个错误的人。
在发现错误之前,我尝试了不同的方法。你必须重命名所有标签,但 ingress-nginx 的版本除外,我不认为它会因为这么少而中断,但它确实如此。最后我使用了这样的东西:
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
app.kubernetes.io/instance: ingress-nginx{{ ingress_type }}
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/component: admission-webhook{{ ingress_type }}
name: ingress-nginx-admission{{ ingress_type }}
webhooks:
- name: validate.nginx{{ ingress_type }}.ingress.kubernetes.io
matchPolicy: Equivalent
objectSelector:
matchLabels:
ingress-nginx : nginx{{ ingress_type }}
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
failurePolicy: Fail
sideEffects: None
admissionReviewVersions:
- v1
clientConfig:
service:
namespace: ingress-nginx
name: ingress-nginx-controller-admission{{ ingress_type }}
path: /networking/v1/ingresses
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
app.kubernetes.io/instance: ingress-nginx{{ ingress_type }}
app.kubernetes.io/version: 1.0.0
app.kubernetes.io/component: controller{{ ingress_type }}
name: ingress-nginx-controller-admission{{ ingress_type }}
spec:
type: ClusterIP
ports:
- name: https-webhook
port: 443
targetPort: webhook
appProtocol: https
selector:
app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
我认为在这种情况下,对所有资源执行相同操作非常重要。