Comments (9)
rbaumgar
commented on July 20, 2024
found similar issue puzzle/cert-manager-webhook-dnsimple#8
from cert-manager-webhook-dynu.
anon-software
commented on July 20, 2024
I believe I saw these messages in my installation too. I shall be back home to confirm that in a couple of days. However, they seem inconsequential as my system was able to get the certificate signed successfully and I did not have time to look into them further. Did it work for you otherwise?
from cert-manager-webhook-dynu.
rbaumgar
commented on July 20, 2024
I was able to fix the RBAC problem by applying the following clusterrole and clusterrolebinding
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-name: cert-manager-dynu-webhook
meta.helm.sh/release-namespace: cert-manager
labels:
app: dynu-webhook
app.kubernetes.io/managed-by: Helm
chart: dynu-webhook-0.1.1
heritage: Helm
release: cert-manager-dynu-webhook
name: cert-manager-dynu-webhook:flowcontrol-solver
rules:
- apiGroups:
- "flowcontrol.apiserver.k8s.io"
resources:
- 'prioritylevelconfigurations'
- 'flowschemas'
verbs:
- 'list'
- 'watch'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
meta.helm.sh/release-name: cert-manager-dynu-webhook
meta.helm.sh/release-namespace: cert-manager
labels:
app: dynu-webhook
app.kubernetes.io/managed-by: Helm
chart: dynu-webhook-0.1.1
heritage: Helm
release: cert-manager-dynu-webhook
name: cert-manager-dynu-webhook:flowcontrol-solver
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager-dynu-webhook:flowcontrol-solver
subjects:
- kind: ServiceAccount
name: cert-manager-dynu-webhook
namespace: cert-manager
now I have the following error messages
W0829 21:24:32.439246 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.PriorityLevelConfiguration: the server could not find the requested resource
E0829 21:24:32.439742 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.PriorityLevelConfiguration: failed to list *v1beta2.PriorityLevelConfiguration: the server could not find the requested resource
W0829 21:25:00.737869 1 reflector.go:324] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: failed to list *v1beta2.FlowSchema: the server could not find the requested resource
E0829 21:25:00.737959 1 reflector.go:138] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1beta2.FlowSchema: failed to list *v1beta2.FlowSchema: the server could not find the requested resource
from cert-manager-webhook-dynu.
rbaumgar
commented on July 20, 2024
I found now that I am using dynu version 0.1.1 and 0.1.2. Installed 2 hours ago.
Any idea why?
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
cert-manager-dynu-webhook cert-manager 1 2022-08-29 19:49:30.930351429 +0000 UTC deployed dynu-webhook-0.1.1 1.0
from cert-manager-webhook-dynu.
anon-software
commented on July 20, 2024
The only difference between these two versions is the readme file. I cannot comment on the new errors you see now.
from cert-manager-webhook-dynu.
rbaumgar
commented on July 20, 2024
both objects exist, but I don't know which name the webhook is looking for and who should create it...
# kubectl get prioritylevelconfiguration
NAME TYPE ASSUREDCONCURRENCYSHARES QUEUES HANDSIZE QUEUELENGTHLIMIT AGE
catch-all Limited 5 <none> <none> <none> 2d14h
exempt Exempt <none> <none> <none> <none> 2d14h
global-default Limited 20 128 6 50 2d14h
leader-election Limited 10 16 4 50 2d14h
system Limited 30 64 6 50 2d14h
workload-high Limited 40 128 6 50 2d14h
workload-low Limited 100 128 6 50 2d14h
[root@microshift ~]# kubectl get flowschema
NAME PRIORITYLEVEL MATCHINGPRECEDENCE DISTINGUISHERMETHOD AGE MISSINGPL
exempt exempt 1 <none> 2d14h False
system-leader-election leader-election 100 ByUser 2d14h False
workload-leader-election leader-election 200 ByUser 2d14h False
system-nodes system 500 ByUser 2d14h False
kube-controller-manager workload-high 800 ByNamespace 2d14h False
kube-scheduler workload-high 800 ByNamespace 2d14h False
kube-system-service-accounts workload-high 900 ByNamespace 2d14h False
service-accounts workload-low 9000 ByUser 2d14h False
global-default global-default 9900 ByUser 2d14h False
catch-all catch-all 10000 ByUser 2d14h False
from cert-manager-webhook-dynu.
rbaumgar
commented on July 20, 2024
very interesting! Audit log shows following error
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"df17037b-902f-4779-8dae-d49b4e8699c0","stage":"ResponseComplete","requestURI":"/apis/flowcontrol.apiserver.k8s.io/v1beta2/flowschemas?limit=500\u0026resourceVersion=0","verb":"list","user":{"username":"system:serviceaccount:cert-manager:cert-manager-dynu-webhook","uid":"890b445d-a09a-4037-a443-65081814a78b","groups":["system:serviceaccounts","system:serviceaccounts:cert-manager","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["cert-manager-dynu-webhook-79f445dfd4-dr285"],"authentication.kubernetes.io/pod-uid":["751180b3-ba97-4f8d-abfb-dc81b103791b"]}},"sourceIPs":["10.42.0.10"],"userAgent":"webhook/v0.0.0 (linux/arm64) kubernetes/$Format","objectRef":{"resource":"flowschemas","apiGroup":"flowcontrol.apiserver.k8s.io","apiVersion":"v1beta2"},"responseStatus":{"metadata":{},"status":"Failure","reason":"NotFound","code":404},"requestReceivedTimestamp":"2022-08-30T13:12:58.533325Z","stageTimestamp":"2022-08-30T13:12:58.577099Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding "cert-manager-dynu-webhook:flowcontrol-solver" of ClusterRole "cert-manager-dynu-webhook:flowcontrol-solver" to ServiceAccount "cert-manager-dynu-webhook/cert-manager""}}
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"a2332bde-38d9-4fca-8beb-58a9accb70be","stage":"ResponseComplete","requestURI":"/apis/flowcontrol.apiserver.k8s.io/v1beta2/prioritylevelconfigurations?limit=500\u0026resourceVersion=0","verb":"list","user":{"username":"system:serviceaccount:cert-manager:cert-manager-dynu-webhook","uid":"890b445d-a09a-4037-a443-65081814a78b","groups":["system:serviceaccounts","system:serviceaccounts:cert-manager","system:authenticated"],"extra":{"authentication.kubernetes.io/pod-name":["cert-manager-dynu-webhook-79f445dfd4-dr285"],"authentication.kubernetes.io/pod-uid":["751180b3-ba97-4f8d-abfb-dc81b103791b"]}},"sourceIPs":["10.42.0.10"],"userAgent":"webhook/v0.0.0 (linux/arm64) kubernetes/$Format","objectRef":{"resource":"prioritylevelconfigurations","apiGroup":"flowcontrol.apiserver.k8s.io","apiVersion":"v1beta2"},"responseStatus":{"metadata":{},"status":"Failure","reason":"NotFound","code":404},"requestReceivedTimestamp":"2022-08-30T13:13:50.036863Z","stageTimestamp":"2022-08-30T13:13:50.145252Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding "cert-manager-dynu-webhook:flowcontrol-solver" of ClusterRole "cert-manager-dynu-webhook:flowcontrol-solver" to ServiceAccount "cert-manager-dynu-webhook/cert-manager""}}
from cert-manager-webhook-dynu.
rbaumgar
commented on July 20, 2024
oh I found the reason for the errors.
I have only version v1beta1 of flowcontrol, but the pod is looking for version v1beta2
# kubectl api-resources --api-group=flowcontrol.apiserver.k8s.io
NAME SHORTNAMES APIVERSION NAMESPACED KIND
flowschemas flowcontrol.apiserver.k8s.io/v1beta1 false FlowSchema
prioritylevelconfigurations flowcontrol.apiserver.k8s.io/v1beta1 false PriorityLevelConfiguration
from cert-manager-webhook-dynu.
davlloyd
commented on July 20, 2024
This has been fixed in latest update so can be closed
from cert-manager-webhook-dynu.
Related Issues (15)
- cannot create resource "dynu" in API group "dynu-webhook" HOT 5
- web hook does not support subdomains HOT 3
- Pages build action not running HOT 3
- [QUESTION] Installation error ? HOT 1
- new group name
- add USER to dockerfile
- The server could not find the requested resource (post dynu.com.github.dopingus.cert-manager-webhook-dynu)
- Clusterisssuer does not create secret.
- Is it possible to set the TTL? HOT 7
- webhook producess many warnings on Kubernetes 1.26 HOT 2
- server not able to handle the request HOT 5
- Challenges failed - the server is currently unable to handle the request
- build new version recommended HOT 1
- re-queuing item due to error processing" "error"="dynu.dynu-webhook-1661649439 is forbidden HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cert-manager-webhook-dynu.