时间戳

首页 > 解决方案 > kubernetes 中的多个 ingress-nginx 未验证 webhook 不起作用

kubernetes - kubernetes 中的多个 ingress-nginx 未验证 webhook 不起作用

问题描述

如标题所述,我目前在 gke v1.20.10 上有 2 个 ingress-nginx v1.0.0 的配置。

当我单独部署一个配置时,配置正在工作并且我没有问题,但是当我部署第二个验证webhook然后尝试部署一个入口时,2个验证webhook尝试评估新创建的入口。

这会导致此错误:

**Error from server (InternalError): error when creating "ingress-example.yaml": Internal error occurred: failed calling webhook "validate.nginx-public.ingress.kubernetes.io": Post "https://ingress-nginx-controller-admission-public.ingress-nginx.svc:443/networking/v1/ingresses?timeout=10s": x509: certificate is valid for ingress-nginx-controller-admission-private, ingress-nginx-controller-admission-private.ingress-nginx.svc, not ingress-nginx-controller-admission-public.ingress-nginx.svc**

我检查了一下,一切似乎都正确分离了,我的验证网络钩子就是这样部署的,{{ ingress_type }} 是 -public 或 -private 的占位符:

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/component: admission-webhook
  name: ingress-nginx-admission{{ ingress_type }}
webhooks:
  - name: validate.nginx{{ ingress_type }}.ingress.kubernetes.io
    matchPolicy: Equivalent
    objectSelector:
      matchLabels:
        ingress-nginx : nginx{{ ingress_type }}
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:
      - v1
    clientConfig:
      service:
        namespace: ingress-nginx
        name: ingress-nginx-controller-admission{{ ingress_type }}
        path: /networking/v1/ingresses
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller-admission{{ ingress_type }}
spec:
  type: ClusterIP
  ports:
    - name: https-webhook
      port: 443
      targetPort: webhook
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}

我似乎找不到解决方案,有一个旧的 github 问题没有答案,也许我做错了什么,但我看不到它。

正如评论中所问的,这是我正在尝试部署的入口示例,只有一个入口,而不是两个入口,这工作得很好:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.class: nginx-private
#    external-dns.alpha.kubernetes.io/target: "IP"
  labels:
    ingress-nginx : nginx-public
spec:
  rules:
    - host: hello.MYDOMAINHERE
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 8080

标签: kubernetesgoogle-kubernetes-engineingress-nginx

解决方案

所以对于那些可能会遇到这个错误的人。

在发现问题之前,我尝试了不同的方法。您必须重命名所有标签,但 ingress-nginx 的版本除外,我不认为它会中断这么少,但确实如此。最后我使用这样的东西:

---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/instance: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/component: admission-webhook{{ ingress_type }}
  name: ingress-nginx-admission{{ ingress_type }}
webhooks:
  - name: validate.nginx{{ ingress_type }}.ingress.kubernetes.io
    matchPolicy: Equivalent
    objectSelector:
      matchLabels:
        ingress-nginx : nginx{{ ingress_type }}
    rules:
      - apiGroups:
          - networking.k8s.io
        apiVersions:
          - v1
        operations:
          - CREATE
          - UPDATE
        resources:
          - ingresses
    failurePolicy: Fail
    sideEffects: None
    admissionReviewVersions:
      - v1
    clientConfig:
      service:
        namespace: ingress-nginx
        name: ingress-nginx-controller-admission{{ ingress_type }}
        path: /networking/v1/ingresses
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/instance: ingress-nginx{{ ingress_type }}
    app.kubernetes.io/version: 1.0.0
    app.kubernetes.io/component: controller{{ ingress_type }}
  name: ingress-nginx-controller-admission{{ ingress_type }}
spec:
  type: ClusterIP
  ports:
    - name: https-webhook
      port: 443
      targetPort: webhook
      appProtocol: https
  selector:
    app.kubernetes.io/name: ingress-nginx{{ ingress_type }}

我认为在这种情况下,对所有资源执行相同操作非常重要。

推荐阅读