Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validating Admission Webhook doesn't get called #20842

Closed
openshiftninja opened this issue Sep 3, 2018 · 4 comments
Closed

Validating Admission Webhook doesn't get called #20842

openshiftninja opened this issue Sep 3, 2018 · 4 comments
Assignees
@mfojtik
Labels
sig/master

Comments

@openshiftninja
Copy link

I'm trying to test a validating admission webhook that would call the Anchore Image Scanning solution before a pod is created. I'm running this on OpenShift Origin 3.10 using MiniShift. Is there anything I need to configure to turn on the validating admission webhooks? Everything seems to be working fine except the hook not actually getting called.

Version
$ oc version
oc v3.10.0+dd10d17
kubernetes v1.10.0+b81c8f8
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://192.168.42.58:8443
openshift v3.10.0+2fddd08-32
kubernetes v1.10.0+b81c8f8
Steps To Reproduce

Following the steps for https://github.com/viglesiasce/kubernetes-anchore-image-validator, which was created for Kubernetes. I was able to install Helm (https://blog.osninja.io/deploying-anchore-engine-on-openshift/), give the tiller service account cluster admin access, give anyuid to the required service accounts, and then validate that I have the engine up as well as the validator service which answers the webhook and then calls the engine.

  1. Installed the image validator webservice and verified it is running and answering calls
  2. Created validating webhook yaml (attached:
    validating-webook.yaml.txt)
Current Result

Not seeing the webhook get called, which should be at the /apis/admission.anchore.io/v1beta1/imagechecks URL of the analysis-anchore-policy-validator service in the anchore-engine namespace

Expected Result

No such call being made - possibly I'm just missing something that is need to enable these validating webhooks to get called

Additional Information

Diagnostics:
diagnostics.txt
anchore-engine resources:
anchore-engine.json.txt
default resources:
@jwforres
Copy link
Member

jwforres commented Sep 5, 2018

@openshift/sig-master

@sttts
Copy link
Contributor

sttts commented Sep 6, 2018

The admission webhook are not enabled yet. We are working on doing so for 3.11: #20744

@openshiftninja
Copy link
Author

Ok. I don't suppose there is a way to enable them manually? Not a big deal, so I'm going to go ahead and close this.

@sttts
Copy link
Contributor

sttts commented Sep 6, 2018

Ok. I don't suppose there is a way to enable them manually? Not a big deal, so I'm going to go ahead and close this.

You can, compare openshift/openshift-ansible#7983.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mfojtik mfojtik

Labels
sig/master
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@mfojtik @sttts @jwforres @openshiftninja @openshift-ci-robot