Bug 2033784

 oc get clusterversion           
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.10.0-0.nightly-2022-01-24-070025   True        False         7h12m   Cluster version is 4.10.0-0.nightly-2022-01-24-070025

Create a webhook that matches one of these resources.

cat webhook-config.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: "test-virtual-cfg"
webhooks:
- name: "test.virtual.com"
  rules:
  - apiGroups:   ["authorization.k8s.io"]
    apiVersions: ["v1"]
    operations:  ["*"]
    resources:   ["subjectaccessreviews"]
    scope:       "Namespaced"
  clientConfig:
    service:
      namespace: "example-namespace"
      name: "example-service"
  admissionReviewVersions: ["v1"]
  sideEffects: None
  timeoutSeconds: 5

oc apply -f webhook-config.yaml

kube-apiserver degraded when matched a virtual resource.

oc get co kube-apiserver -o yaml

status:
  conditions:
  - lastTransitionTime: "2022-01-25T13:45:32Z"
    message: |-
      ValidatingAdmissionWebhookConfigurationDegraded: test.virtual.com: unable to find find service example-service.example-namespace: service "example-service" not found
      VirtualResourceAdmissionDegraded: Validating webhook test.virtual.com matches a virtual resource subjectaccessreviews.authorization.k8s.io/v1
    reason: ValidatingAdmissionWebhookConfiguration_WebhookServiceNotFound::VirtualResourceAdmission_AdmissionWebhookMatchesVirtualResource
    status: "True"
    type: Degraded

Same has been done for MutatingAdmissionWebhookConfiguration

apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
  name: "test1-virtual-cfg"
webhooks:
- name: "test1.virtual.com"
  rules:
  - apiGroups:   ["authorization.k8s.io"]
    apiVersions: ["v1"]
    operations:  ["*"]
    resources:   ["subjectaccessreviews"]
    scope:       "Namespaced"
  clientConfig:
    service:
      namespace: "example-namespace"
      name: "example-service"
  admissionReviewVersions: ["v1"]
  sideEffects: None
  timeoutSeconds: 5

oc apply -f webhook-config.yaml

oc get co kube-apiserver -o yaml

 - lastTransitionTime: "2022-01-25T13:45:32Z"
    message: |-
      MutatingAdmissionWebhookConfigurationDegraded: test1.virtual.com: unable to find find service example-service.example-namespace: service "example-service" not found
      ValidatingAdmissionWebhookConfigurationDegraded: test.virtual.com: unable to find find service example-service.example-namespace: service "example-service" not found
      VirtualResourceAdmissionDegraded: Mutating webhook test1.virtual.com matches a virtual resource subjectaccessreviews.authorization.k8s.io/v1.
      VirtualResourceAdmissionDegraded: Validating webhook test.virtual.com matches a virtual resource subjectaccessreviews.authorization.k8s.io/v1
    reason: MutatingAdmissionWebhookConfiguration_WebhookServiceNotFound::ValidatingAdmissionWebhookConfiguration_WebhookServiceNotFound::VirtualResourceAdmission_AdmissionWebhookMatchesVirtualResource
    status: "True"
    type: Degraded

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056