Hide Forgot
Virtual API resources (those representing operation on objects, rather than objects) should not have any admission web-hooks configured to validate or mutate the API.
oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.10.0-0.nightly-2022-01-24-070025 True False 7h12m Cluster version is 4.10.0-0.nightly-2022-01-24-070025 Create a webhook that matches one of these resources. cat webhook-config.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration metadata: name: "test-virtual-cfg" webhooks: - name: "test.virtual.com" rules: - apiGroups: ["authorization.k8s.io"] apiVersions: ["v1"] operations: ["*"] resources: ["subjectaccessreviews"] scope: "Namespaced" clientConfig: service: namespace: "example-namespace" name: "example-service" admissionReviewVersions: ["v1"] sideEffects: None timeoutSeconds: 5 oc apply -f webhook-config.yaml kube-apiserver degraded when matched a virtual resource. oc get co kube-apiserver -o yaml status: conditions: - lastTransitionTime: "2022-01-25T13:45:32Z" message: |- ValidatingAdmissionWebhookConfigurationDegraded: test.virtual.com: unable to find find service example-service.example-namespace: service "example-service" not found VirtualResourceAdmissionDegraded: Validating webhook test.virtual.com matches a virtual resource subjectaccessreviews.authorization.k8s.io/v1 reason: ValidatingAdmissionWebhookConfiguration_WebhookServiceNotFound::VirtualResourceAdmission_AdmissionWebhookMatchesVirtualResource status: "True" type: Degraded
Same has been done for MutatingAdmissionWebhookConfiguration apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: name: "test1-virtual-cfg" webhooks: - name: "test1.virtual.com" rules: - apiGroups: ["authorization.k8s.io"] apiVersions: ["v1"] operations: ["*"] resources: ["subjectaccessreviews"] scope: "Namespaced" clientConfig: service: namespace: "example-namespace" name: "example-service" admissionReviewVersions: ["v1"] sideEffects: None timeoutSeconds: 5 oc apply -f webhook-config.yaml oc get co kube-apiserver -o yaml - lastTransitionTime: "2022-01-25T13:45:32Z" message: |- MutatingAdmissionWebhookConfigurationDegraded: test1.virtual.com: unable to find find service example-service.example-namespace: service "example-service" not found ValidatingAdmissionWebhookConfigurationDegraded: test.virtual.com: unable to find find service example-service.example-namespace: service "example-service" not found VirtualResourceAdmissionDegraded: Mutating webhook test1.virtual.com matches a virtual resource subjectaccessreviews.authorization.k8s.io/v1. VirtualResourceAdmissionDegraded: Validating webhook test.virtual.com matches a virtual resource subjectaccessreviews.authorization.k8s.io/v1 reason: MutatingAdmissionWebhookConfiguration_WebhookServiceNotFound::ValidatingAdmissionWebhookConfiguration_WebhookServiceNotFound::VirtualResourceAdmission_AdmissionWebhookMatchesVirtualResource status: "True" type: Degraded
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056