Asking for help? Comment out what you need so we can get more information to help you!
Cluster information:
Kubernetes version: v1.21.10-gke.2000
Cloud being used: GCP
Installation method: terraform gcp provider
Host OS: Linux
CNI and version:
CRI and version:
Hi peeps,
I’ve created a validation webhook controller to intercept pods/eviction requests, but calling evictions via both, the go SDK client and VPA is not invoking the webhook.
The webhook config is as follows:
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
annotations:
cert-manager.io/inject-ca-from: <namespace>/admissionwebhooks-tls
meta.helm.sh/release-name: <namespace>-admissionwebhooks
meta.helm.sh/release-namespace: <namespace>
name: admissionwebhooks.org.com
webhooks:
- admissionReviewVersions:
- v1
- v1beta1
clientConfig:
caBundle: <cert>
service:
name: admissionwebhooks
namespace: <namespace>
path: /intercept-evictions
port: 443
failurePolicy: Fail
matchPolicy: Equivalent
name: admissionwebhooks.org.com
namespaceSelector:
matchLabels:
name: <namespace>
objectSelector:
matchLabels:
interceptDBSetPodEvictions: "true"
rules:
- apiGroups:
- ""
apiVersions:
- v1
- v1beta1
operations:
- CREATE
resources:
- pods/eviction
scope: Namespaced
sideEffects: None
the namespaceSelector and objectSelector are pointing to the right resources,
I am testing by invoking eviction requests with the golang client, and also by VPA which issues eviction requests,
In addition to pods/eviction, I also tried a few combinations in the rules.resources, but nothing seems to work:
- pods/*
- */eviction
- eviction
- pods/*/eviction
If I “pods/status” my webhook server gets status requests though,
It sounds to me that this is still not working Intercepting the "pods/eviction" subresource via validating webhooks should work · Issue #75193 · kubernetes/kubernetes · GitHub