Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When admission webhook and gateway discovery is enabled, actions requiring admission webhook stucks when gateway pod deleted #3600

Closed
1 task done
randmonkey opened this issue Feb 24, 2023 · 0 comments · Fixed by #3601
Closed
1 task done

When admission webhook and gateway discovery is enabled, actions requiring admission webhook stucks when gateway pod deleted #3600

randmonkey opened this issue Feb 24, 2023 · 0 comments · Fixed by #3601
Assignees
@czeslavo
Labels
bug Something isn't working priority/high
Milestone
KIC v2.9.0

Comments

@randmonkey
Copy link
Contributor

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When validation admission webhook is turned on, while kic and kong gateway are deployed in different deployments/pods, actions requiring admission webhooks will be stuck when kong gateway pod is deleted and re-created and got a different IP.
I think it is caused by the way the admission webhook server access the kong admin API. It uses a fixed address on setup phase, which could change when KIC and kong are in different pods.

Expected Behavior

When kong pod is deleted and re-created (at least one kong gateway pod available), webhook could still work.

Steps To Reproduce

1. Deploy multiple GW, with admission webhook enabled:
   add the env CONTROLLER_ADMISSION_WEBHOOK_LISTEN="0.0.0.0:8080" to `all-in-one-dbless-multiple-gw.yaml`
2. create service and admission webhook:
apiVersion: v1
kind: Service
metadata:
  name: kong-validation-webhook
  namespace: kong
spec:
  ports:
  - name: webhook
    port: 443
    protocol: TCP
    targetPort: 8080
  selector:
    app: ingress-kong
and validation admission webhook:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: "validate.konghq.com"
webhooks:
- name: "plugin.konghq.com"
  rules:
  - apiGroups:   ["configuration.konghq.com"]
    apiVersions: ["v1"]
    operations:  ["CREATE"]
    resources:   ["kongplugins"]
    scope:       "Namespaced"
  clientConfig:
    service:
      namespace: "kong"
      name: "kong-validation-webhook"
   ...
To enable validation webhook.
3. delete the initial kong pods
4. create a kongPlugin, and k8s api will return error from validation webhook:
rror from server (InternalError): error when creating "kong-plugin-good.yaml": Internal error occurred: failed calling webhook "plugin.konghq.com": failed to call webhook: Post "https://kong-validation-webhook.kong.svc:443/?timeout=5s": context deadline exceeded

Kong Ingress Controller version

current main branch

Kubernetes version

No response

Anything else?

No response
@randmonkey randmonkey added the bug Something isn't working label Feb 24, 2023
@randmonkey randmonkey added this to the KIC v2.9.0 milestone Feb 24, 2023
@czeslavo czeslavo self-assigned this Feb 24, 2023
@czeslavo czeslavo mentioned this issue Feb 24, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@czeslavo czeslavo

Labels
bug Something isn't working priority/high
Projects
None yet
Milestone
KIC v2.9.0
Development

Successfully merging a pull request may close this issue.

fix: get Admin API services dynamically in admission webhook Kong/kubernetes-ingress-controller
2 participants
@czeslavo @randmonkey