kubernetes 中的多个 ingress-nginx 未验证 webhook 无法正常工作

multiple ingress-nginx in kubernetes not validating webhook not working

如标题所述,我目前在 gke v1.20.10 上配置了 2 ingress-nginx v1.0.0。

当我单独部署一个时,配置工作正常,我没有问题,但是当我部署第二个 validatingwebhook,然后尝试部署一个入口时,第二个 validatingwebhook 尝试评估新创建的入口。

导致此错误:

**Error from server (InternalError): error when creating "ingress-example.yaml": Internal error occurred: failed calling webhook "validate.nginx-public.ingress.kubernetes.io": Post "https://ingress-nginx-controller-admission-public.ingress-nginx.svc:443/networking/v1/ingresses?timeout=10s": x509: certificate is valid for ingress-nginx-controller-admission-private, ingress-nginx-controller-admission-private.ingress-nginx.svc, not ingress-nginx-controller-admission-public.ingress-nginx.svc**

我检查了一下,一切似乎都正确分开了,我的 validatingwebhook 就是这样部署的,{{ ingress_type }} 是 -public 或 -private:[=14= 的占位符]

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/component: admission-webhook
  name: ingress-nginx-admission{{ ingress_type }}
webhooks:
  - name: validate.nginx{{ ingress_type }}.ingress.kubernetes.io
    matchPolicy: Equivalent
    objectSelector:
      matchLabels:
        ingress-nginx : nginx{{ ingress_type }}
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:
      - v1
    clientConfig:
      service:
        namespace: ingress-nginx
        name: ingress-nginx-controller-admission{{ ingress_type }}
        path: /networking/v1/ingresses
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller-admission{{ ingress_type }}
spec:
  type: ClusterIP
  ports:
    - name: https-webhook
      port: 443
      targetPort: webhook
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}

我似乎找不到解决方案,有一个旧的 github 问题没有答案,也许我做错了什么但我看不到它。

正如评论中所问,这是我正在尝试部署的 ingress-example,这在只有一个入口而不是两个入口时工作得很好:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.class: nginx-private
#    external-dns.alpha.kubernetes.io/target: "IP"
  labels:
    ingress-nginx : nginx-public
spec:
  rules:
    - host: hello.MYDOMAINHERE
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080

所以对于那些可能遇到这个错误的人。

在发现错误之前,我尝试了不同的方法。你必须重命名所有标签,但 ingress-nginx 的版本除外,我不认为它会因为这么少而中断,但它确实如此。最后我使用了这样的东西:

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/instance: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/component: admission-webhook{{ ingress_type }}
  name: ingress-nginx-admission{{ ingress_type }}
webhooks:
  - name: validate.nginx{{ ingress_type }}.ingress.kubernetes.io
    matchPolicy: Equivalent
    objectSelector:
      matchLabels:
        ingress-nginx : nginx{{ ingress_type }}
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:
      - v1
    clientConfig:
      service:
        namespace: ingress-nginx
        name: ingress-nginx-controller-admission{{ ingress_type }}
        path: /networking/v1/ingresses
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/instance: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/component: controller{{ ingress_type }}
  name: ingress-nginx-controller-admission{{ ingress_type }}
spec:
  type: ClusterIP
  ports:
    - name: https-webhook
      port: 443
      targetPort: webhook
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}

我认为在这种情况下,对所有资源执行相同操作非常重要。