How to specify admission controller correctly?

Tue, 24 Jul 2018 11:29:22 -0700 

I've got origin 3.9 running and trying to setup an admission controller
webhook.  I added the appropriate confgurations to master-config.yaml.  I
added the following:

kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1beta1
metadata:
  name: opa-validating-webhook
webhooks:
  - name: validating-webhook.openpolicyagent.org
    rules:
      - operations: ["CREATE", "UPDATE"]
        apiGroups: ["*"]
        apiVersions: ["*"]
        resources: ["pods"]
    clientConfig:
      #url: https://unison-opa.unison.svc/kubernetes/admission/reveiw
      service:
        namespace: unison
        name: unison-opa


here's the unison-opa service:
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: 2018-07-18T01:35:21Z
  labels:
    app: unison
  name: unison-opa
  namespace: unison
  resourceVersion: "13118928"
  selfLink: /api/v1/namespaces/unison/services/unison-opa
  uid: d596be9f-8a2a-11e8-9ee7-525400887c40
spec:
  clusterIP: 172.30.254.250
  ports:
  - name: 443-tcp
    port: 443
    protocol: TCP
    targetPort: 8444
  selector:
    deploymentconfig: unison
  sessionAffinity: None
  type: ClusterIP
status:
  loadBalancer: {}

here's what i see in the master logs:
Jul 24 14:21:26 os atomic-openshift-master-api: W0724 14:21:26.389179
1723 admission.go:252] Failed calling webhook, failing open
validating-webhook.openpolicyagent.org: failed calling admission webhook "
validating-webhook.openpolicyagent.org": Post
https://unison-opa.unison.svc:443/?timeout=30s: net/http: request canceled
while waiting for connection (Client.Timeout exceeded while awaiting
headers)
Jul 24 14:21:26 os atomic-openshift-master-api: E0724 14:21:26.389241
1723 admission.go:253] failed calling admission webhook "
validating-webhook.openpolicyagent.org": Post
https://unison-opa.unison.svc:443/?timeout=30s: net/http: request canceled
while waiting for connection (Client.Timeout exceeded while awaiting
headers)

I've also tried running through the router and going directly to 8444.
Nothing seems to work.  The service is setup correctly, i can connect from
inside of containers.

Thanks

_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Reply via email to