Add doc on how to setup localhost serving Admission Webhook #8
Conversation
openshift-ci-robot
added
the
size/L
| - name: clusterresourceoverrides.admission.autoscaling.openshift.io | ||
| clientConfig: | ||
| # serving on localhost. | ||
| url: https://localhost:9443/apis/admission.autoscaling.openshift.io/v1/clusterresourceoverrides |
There was a problem hiding this comment.
serving on localhost of each node where kube API server is also hosted.
| node-role.kubernetes.io/master: '' | ||
|
|
||
| # enable hostNetwork to do localhost serving | ||
| hostNetwork: true |
There was a problem hiding this comment.
We want to serve on localhost of the host network of each master node.
| args: | ||
| # the server binds to 127.0.0.1 to disable external connection. | ||
| # pod readiness and liveness check does not work. | ||
| - "--bind-address=127.0.0.1" |
There was a problem hiding this comment.
bind to 127.0.0.1 to allow connection from localhost exclusively.
| Forbidden: "/apis/admission.autoscaling.openshift.io/v1/clusterresourceoverrides?timeout=30s", Reason: "" | ||
| ``` | ||
|
|
||
| To solve this issue grant `create` verb on the designated API resource to `system:anonymous`. |
There was a problem hiding this comment.
Am I doing something wrong here or is there a better way to solve thi?
|
/assign @deads2k |
| @@ -0,0 +1,178 @@ | |||
| ## Admission Webhooks over localhost | |||
| * Use `DaemonSet`: The DaemonSet controller can make Pods even when the scheduler has not been started, which can help cluster bootstrap. | |||
There was a problem hiding this comment.
Not true, you still need a scheduler. But you don't need the SDN to be working.
| ## Admission Webhooks over localhost | ||
| * Use `DaemonSet`: The DaemonSet controller can make Pods even when the scheduler has not been started, which can help cluster bootstrap. | ||
| * Use `hostnetwork` for `PodSpec` | ||
| * The pods must be scheduled on to each master node so that core API server can access the webhook. |
|
|
||
| Note that we are not using the following: | ||
| * The `DaemonSet` pods are not fronted by any `Service` | ||
| * No API aggregation, the Admission webhook can not be reached via the `kubernetes.default.svc` service. So we don't get the advantages to registering the webhook server as an aggregated API. |
There was a problem hiding this comment.
As an exercise for our future, can you see if it's possible to register as a service. Imagine the ImagePolicy admission plugin which we want for kube-apiserver and openshift-apiserver. Doesn't have to be now and we don't want it for this plugin.
| ### Setup | ||
| * Grant the `ServiceAccount` of the `DaemonSet` access to the `hostnetwork` `SCC` | ||
| ```bash | ||
| oc adm policy add-scc-to-user hostnetwork system:serviceaccount:cluster-resource-override:clusterresourceoverride |
There was a problem hiding this comment.
instead of this, use the oc create rolebinding technique
| ```bash | ||
| oc adm policy add-scc-to-user hostnetwork system:serviceaccount:cluster-resource-override:clusterresourceoverride | ||
| ``` | ||
| * Grant `create` verb on the designated API resource of the API group the admission webhook exposes to `system:anonymous`. |
| - name: clusterresourceoverrides.admission.autoscaling.openshift.io | ||
| clientConfig: | ||
| # serving on localhost. | ||
| url: https://localhost:9443/apis/admission.autoscaling.openshift.io/v1/clusterresourceoverrides |
There was a problem hiding this comment.
I'd like a non-443, so we can start numbering these. How about 9400?
|
The feedback has been addressed. A new PR has been opened in enhancements -openshift/enhancements#138 |
deads2k
added
the
approved
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: tkashem The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/hold |
openshift-ci-robot
added
the
do-not-merge/hold
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle rotten |
openshift-ci-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. Reopen the issue by commenting /close |
|
@openshift-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
No description provided.