Asking for help? Comment out what you need so we can get more information to help you!
Kubernetes version: v1.21.10-gke.2000
Cloud being used: GCP
Installation method: terraform gcp provider
Host OS: Linux
CNI and version:
CRI and version:
I’ve created a validation webhook controller to intercept pods/eviction requests, but calling evictions via both, the go SDK client and VPA is not invoking the webhook.
The webhook config is as follows:
apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: annotations: cert-manager.io/inject-ca-from: <namespace>/admissionwebhooks-tls meta.helm.sh/release-name: <namespace>-admissionwebhooks meta.helm.sh/release-namespace: <namespace> name: admissionwebhooks.org.com webhooks: - admissionReviewVersions: - v1 - v1beta1 clientConfig: caBundle: <cert> service: name: admissionwebhooks namespace: <namespace> path: /intercept-evictions port: 443 failurePolicy: Fail matchPolicy: Equivalent name: admissionwebhooks.org.com namespaceSelector: matchLabels: name: <namespace> objectSelector: matchLabels: interceptDBSetPodEvictions: "true" rules: - apiGroups: - "" apiVersions: - v1 - v1beta1 operations: - CREATE resources: - pods/eviction scope: Namespaced sideEffects: None
objectSelector are pointing to the right resources,
I am testing by invoking eviction requests with the golang client, and also by VPA which issues eviction requests,
In addition to pods/eviction, I also tried a few combinations in the rules.resources, but nothing seems to work:
If I “pods/status” my webhook server gets status requests though,
It sounds to me that this is still not working Intercepting the "pods/eviction" subresource via validating webhooks should work · Issue #75193 · kubernetes/kubernetes · GitHub