How do I debug a validating admission webhook?

2,011 views
Skip to first unread message

Matt Reynolds

unread,
Jun 8, 2018, 4:56:44 PM6/8/18
to Kubernetes user discussion and Q&A
I have a validating admission webhook service running in my cluster, a config created for it but it doesn't get called when I add a new resource (ingress). 


here's the configuration object:

    kind: ValidatingWebhookConfiguration
    metadata:
      name: ingress-check-webhook-cfg
    webhooks:
      - name: ingress.check.webhook
        rules:
          - apiGroups:
              - extensions
            apiVersions:
              - v1
            operations:
              - CREATE
              - UPDATE
            resources:
              - ingresses
        failurePolicy: Ignore
        clientConfig:
          service:
            name: ingress-check-webhook-svc
            namespace: operations
            path: "/validate"
          caBundle: <cert stuff>

I can curl -k https://ingress-check-webhook-svc.operations/validate within the cluster and see log entries in my webhook service but nothing when I create an ingress. 

my kube-apiserver has --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,Initializers

when I look at the logs for the apiserver it looks like just access logs and I can't find anything logging admission workflow so I'm not sure where to go to figure out why it's not working.

--
cheers,

Matt

Daniel Smith

unread,
Jun 8, 2018, 5:00:08 PM6/8/18
to kubernet...@googlegroups.com
Ingress appears to be a v1beta1 resource: https://kubernetes.io/docs/reference/federation/v1/definitions/

--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

Matt Reynolds

unread,
Jun 8, 2018, 6:00:01 PM6/8/18
to Kubernetes user discussion and Q&A
Thanks Daniel - I switched to v1beta1 for apiVersions but I still get the same result.

Matt Reynolds

unread,
Jun 11, 2018, 1:20:03 PM6/11/18
to Kubernetes user discussion and Q&A
I deleted and re-applied my config and it's working now - I'm guessing I messed up the prior change for the api version change.
Reply all
Reply to author
Forward
0 new messages