Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enhancement: Webhook is not accessible on EKS with Calico #123

Closed
dipeti opened this issue Nov 24, 2021 · 1 comment
Closed

Enhancement: Webhook is not accessible on EKS with Calico #123

dipeti opened this issue Nov 24, 2021 · 1 comment
Assignees
@senthilrch
Labels
enhancement Enhancement to existing feature
Milestone
v0.9.0

Comments

@dipeti
Copy link

dipeti commented Nov 24, 2021
edited
Loading

Hi,

When using EKS with only Calico CNI the Kubernetes API server on the control plane (managed by AWS) cannot reach webhooks that use a service pointing to pods on Calico pod network.
The visible error is the following:

  Error: Internal error occurred: failed calling webhook "validate-image-cache.kubefledged.io": Post "https://kubefledged-operator-kube-fledged-webhook-server.kubefledged.svc:3443/validate-image-cache?timeout=1s": Address is not allowed

In order to make the webhook pod accessible (on Calico) from the control plane (not on Calico) I need to expose the service port on the hosting node. hostNetwork: true

Can you please add the option of configuring the hostNetwork on the webhook server's deployment manifest?

#helm-charts/kubefledged/templates/deployment-webhook-server.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: {{ include "kubefledged.fullname" . }}-webhook-server
  labels:
    {{- include "kubefledged.labels" . | nindent 4 }}
spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      {{- include "kubefledged.selectorLabels" . | nindent 6 }}-webhook-server
  template:
    metadata:
      labels:
        {{- include "kubefledged.selectorLabels" . | nindent 8 }}-webhook-server
    spec:
#SOMETHING ALONG THESE LINES 
{{- if .Values.args.webhookServerHostNetwork }}
      hostNetwork: true
{{- end }}

source: https://medium.com/@denisstortisilva/kubernetes-eks-calico-and-custom-admission-webhooks-a2956b49bd0d
@vikas027 vikas027 mentioned this issue Nov 27, 2021
Closed
@senthilrch senthilrch self-assigned this Dec 9, 2021
@senthilrch senthilrch added the enhancement Enhancement to existing feature label Dec 9, 2021
@senthilrch senthilrch added this to the v0.9.0 milestone Dec 9, 2021
@senthilrch
Copy link
Owner

Thanks @dipeti I'll have this implemented in v0.9.0 release

@senthilrch senthilrch mentioned this issue Dec 27, 2021
Merged
@senthilrch senthilrch changed the title Webhook is not accessible on EKS with Calico Enhancement: Webhook is not accessible on EKS with Calico Dec 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@senthilrch senthilrch

Labels
enhancement Enhancement to existing feature
Projects
None yet
Milestone
v0.9.0
Development

No branches or pull requests
2 participants
@dipeti @senthilrch