I forgot to say, you also need to enable the APIs, since they are alpha. Search for --runtime-config here: https://kubernetes.io/docs/admin/extensible-admission-controllers/
On Tue, Jul 18, 2017 at 12:19 PM, Xin Guo <guoxin73...@gmail.com> wrote: > Thank you Daniel! > Do I need to include the same flags for Initializer? Since if I only > include "Initializer" in --admission-control, it won't work either. > > 在 2017年7月17日星期一 UTC-7下午2:42:25,Daniel Smith写道: >> >> Filed https://github.com/kubernetes/kubernetes/issues/49050 to track >> this. >> >> On Mon, Jul 17, 2017 at 2:39 PM, Daniel Smith <dbs...@google.com> wrote: >> >>> I think you need to pass the proxy cert & request header auth flags. >>> >>> --proxy-client-cert-file string Client >>> certificate used to prove the identity of the aggregator or kube-apiserver >>> when it must call out during a request. This includes proxying requests to >>> a user api-server and calling out to webhook admission plugins. It is >>> expected that this cert includes a signature from the CA in the >>> --requestheader-client-ca-file flag. That CA is published in the >>> 'extension-apiserver-authentication' configmap in the kube-system >>> namespace. Components recieving calls from kube-aggregator should use that >>> CA to perform their half of the mutual TLS verification. >>> --proxy-client-key-file string Private >>> key for the client certificate used to prove the identity of the aggregator >>> or kube-apiserver when it must call out during a request. This includes >>> proxying requests to a user api-server and calling out to webhook admission >>> plugins. >>> >>> >>> --requestheader-allowed-names stringSlice List of >>> client certificate common names to allow to provide usernames in headers >>> specified by --requestheader-username-headers. If empty, any client >>> certificate validated by the authorities in --requestheader-client-ca-file >>> is allowed. >>> --requestheader-client-ca-file string Root >>> certificate bundle to use to verify client certificates on incoming >>> requests before trusting usernames in headers specified by >>> --requestheader-username-headers >>> --requestheader-extra-headers-prefix stringSlice List of >>> request header prefixes to inspect. X-Remote-Extra- is suggested. >>> --requestheader-group-headers stringSlice List of >>> request headers to inspect for groups. X-Remote-Group is suggested. >>> --requestheader-username-headers stringSlice List of >>> request headers to inspect for usernames. X-Remote-User is common. >>> >>> >>> https://kubernetes.io/docs/admin/kube-apiserver/ >>> >>> >>> On Mon, Jul 17, 2017 at 2:16 PM, Xin Guo <guoxi...@gmail.com> wrote: >>> >>>> When I add GenericAdmissionWebhook to the end of the flag >>>> --admission-control, the whole API server won't work. The response of >>>> "kubectl get nodes" is " Unable to connect to the server: EOF". However, if >>>> I just remove GenericAdmissionWebhook from the flag --admission-control, >>>> everything works fine. Can somebody help me with it? Do I need to make >>>> other changes in api-server.yaml to enable this feature? Thanks! >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Kubernetes user discussion and Q&A" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to kubernetes-use...@googlegroups.com. >>>> To post to this group, send email to kubernet...@googlegroups.com. >>>> Visit this group at https://groups.google.com/group/kubernetes-users. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> >>> >> -- > You received this message because you are subscribed to the Google Groups > "Kubernetes user discussion and Q&A" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to kubernetes-users+unsubscr...@googlegroups.com. > To post to this group, send email to kubernetes-users@googlegroups.com. > Visit this group at https://groups.google.com/group/kubernetes-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
