Description of problem: While trying to observe multus admission controller functionality, TLS handshake errors are preventing it to catch bad config defined under network attachment definitions. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Define bad config in net-attach-def $ cat def.yaml apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: macvlan-bridge spec: config: 'asdf' 2. $ oc create -f def.yaml networkattachmentdefinition.k8s.cni.cncf.io/macvlan-bridge created 3. $ oc logs multus-admission-controller-gssgv --namespace=openshift-multus I1016 02:37:18.023175 1 main.go:41] starting net-attach-def-admission-controller webhook server 2019/10/16 02:58:35 http: TLS handshake error from 10.128.0.1:50478: remote error: tls: bad certificate Actual results: TLS handshae errors in step 3 preventing multus to catch error in step 2 Expected results:Admission controller should throw following error but TLS error above ceasing its functionality "Error from server: error when creating "def.yaml": admission webhook "net-attach-def-admission-controller-validating-config.k8s.io" denied the request: invalid config: error parsing configuration: invalid character 'a' looking for beginning of value Above has been alaysed in bug defined in Additional info Additional info: Check referenced BZ https://bugzilla.redhat.com/show_bug.cgi?id=1758702#c11
PR Ready: https://github.com/openshift/cluster-network-operator/pull/362
Verified on 4.3.0-0.nightly-2019-10-28-083944. Thanks for the fixes, this looks great now. mulktus ac now throwing expected errors ithout any tls errors $ cat def.yaml apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: macvlan-bridge spec: config: 'asdf' $ oc create -f def.yaml Error from server: error when creating "def.yaml": admission webhook "multus-validating-config.k8s.io" denied the request: invalid config: error parsing configuration: invalid character 'a' looking for beginning of value $ cat def.yaml apiVersion: "k8s.cni.cncf.io/v1" kind: NetworkAttachmentDefinition metadata: name: macvlan-bridge@$ spec: config: '' $ oc create -f def.yaml The NetworkAttachmentDefinition "macvlan-bridge@$" is invalid: metadata.name: Invalid value: "macvlan-bridge@$": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0062